APPENDIX A 

HTML for GPO CFIG. 17) 



<html dir="ltr M xmlns:v="urn:schemas-microsoft-com:vml" 

gpmcreportlni ti al i zed="f al se"> 

<head> 

<meta http-equiv="Content-Type" content="text/html ; charset=UTF-16" /> 

<title>LightlyManaged User settings</title> 

<!-- Styles --> 

<style type="text/css"> 

body { background-color :#FFFFFF; border:lpx solid #666666; 
color: #000000; font-size : 68%; font-family :Tahoma; margin :0,0,10px,0; word- 
break:normal ; word-wrap: break-word; } 

table { font-size: 100%; table-layout : fixed; width: 100%; } 

td,th { overflow: visible; text-align: left; vertical -align: top; 
white-space : normal ; } 

.title { background :#FFFFFF; border:none; color :#333333; 
displayiblock; height:24px; margin:0px,0px,-lpx,0px; padding-top :4px; 
position: relative; table-layout :fixed; width: 100%; z-index:5; } 

.he0__expanded { background-color :#FEF7d6; border:lpx solid 
#BBBBBB; color :#3333CC; cursor:hand; display :block; font-family :Tahoma; font- 
size:100%; font-weight : bold; height :2 .25em; margin-bottom :-lpx; margin-left :0px; 
margin-right:0px; padding-left :8px ; padding-right : 5em; padding-top :4px; 
position: relative; width:100%; } 

.hel_expanded { background-color :#A0BACB; border:lpx solid 
#BBBBBB; color : #000000; cursor:hand; display :block; font-family :Tahoma; font- 
size: 100%; font-weight : bold; height : 2 .25em; margin-bottom: -lpx; margin-left :10px; 
margin- right :0px; padding-left:8px; padding- right :5em; padding-top :4px; 
position: relative; width:100%; } 

.hel { background-col or :#A0BACB; border: lpx solid #BBBBBB ; 
color :#000000; cursor:hand; display : block; font-family :Tahoma; font-size : 100%; font- 
weight :bold; height :2.25em; margin-bottom: -lpx; margin-left :10px; margin-right:0px; 
padding-left:8px; padding- right : 5em; padding-top :4px; position: relative; width: 100%; 



.he2 { background-color:#C0D2DE; border:lpx solid #BBBBBB; 
color :#000000; cursor:hand; display :block; font-family :Tahoma; font-size: 100%; font- 
weight: bold; height:2.25em; margin-bottom: -lpx ; margin-left :20px; margin-right :0px;, 
padding-left:8px; padding-right:5em; padding-top :4px; position: relative; width:100%; 



.he3 { background-color:#D9E3EA; border:lpx solid #BBBBBB ; 
color :#000000; cursor:hand; display :block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 . 25em; margin-bottom: -lpx; margin-left :30px; margin-right :0px ; 
padding-left:llpx; padding-right : 5em; padding-top :4px; position: relative; 
width: 100%; } 

.he4 { background-color:#E8E8E8; border:lpx solid #BBBBBB ; 
col or: #000000; cursor: hand; display : block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margin-bottom:-lpx; margin-left :40px; margin-right:0px; 
padding-left:llpx; padding- right :5em; padding-top :4px; position: relative ; 
width: 100%; } 

,he4h { background-col or :#E8E8E8; border: lpx solid #BBBBBB ; 
color : #000000; cursor:hand; display :block; font-family :Tahoma; font-size: 100%; fonr- 



weight: bold; height :2 .25em; margin-bottom :-lpx; margin-left :45px; margin-nght:0px; 
paddi ng-1 eft :llpx; padding-right :5em; paddi ng-top:4px; position: relative; 
width: 100%; } 

.he4i { background-color :#F9F9F9; border :lpx solid #BBBBBB; 
col or: #000000; display : block; font-family :Tahoma; font-size: 100%; margin-bottom :- 
lpx; margin-left:45px; margin-right :0px; padding-bottom: 5px; paddi ng-1 eft :21px; 
paddi ng-top:4px; position: relative; width:100%; } 

.he5 { background-color :#E8E8E8; border:lpx solid #BBBBBB; 
col or: #000000; cursor:hand; display:block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margin-bottom: -lpx; margin-left:50px; margin-right :0px; 
paddi ng-1 eft :llpx; padding- right : 5em; paddi ng-top:4px; position: relative ; 
width: 100%; } 

.he5h { background-col or :#E8E8E8; border:lpx solid #BBBBBB ; 
col or: #000000; cursor:hand; display : block; font-family:Tahoma; font-size : 100%; 
paddi ng-1 eft :llpx; paddi ng-right :5em; paddi ng-top:4px; margin-bottom: -lpx; margin- 
left:55px; margin-right :0px; position: relative; width:100%; } 

.he5i { background-color:#F9F9F9; border:lpx solid #BBBBBB; 
col or: #000000; display :block; tont-family :Tahoma; font-size: 100%; margin-bottom: - 
lpx; margin-left:55px; margin-right :0px; padding-left :21px; paddi ng-bottom:5px; 
padding-top: 4px; position: relative; width: 100%; } 

Div .expando { color : #000000 ; text-decoration: none; display : block; 
font-family:Tahoma; font-size: 100%; font-weight : normal ; position:absolute; 
right:10px; text-decoration:underline; z-index: 0; } 

.heO .expando { font-size: 100%; } 

.info, .info3, .info4, .disalign { line-height :1.6em; 
padding:0px,0px,0px,0px; margin:0px,0px,0px,0px; } 

.disalign TD { padding-bottom: 5px; paddi ng- 
right :10px; } 

.info TD { paddi ng-right :10px; width: 50%; } 

.info3 TD { paddi ng-right :10px; width: 33%; } 

,info4 TD, .info4 TH { padding-right :10px; width:25%; } 

.info TH, .info3 TH, .info4 TH, .disalign TH { border-bottom: lpx 
solid #CCCCCC; padding-right:10px; } 

.subtable, .subtable3 { border:lpx solid #CCCCCC; 

margin-! eft :0px; background :#FFFFFF; margin-bottom :10px; } 

.subtable TD, .subtable3 TD { padding-left :10px; paddi ng- 

right:5px; paddi ng-top:3px; paddi ng-bottom: 3px ; line-height :l.lem; width:10%; } 

.subtable TH, .subtable3 TH { border-bottom: lpx solid #CCCCCC; 

font -weight: no rmal ; padding-left : lOpx ; line-height :1.6em; } 

.subtable .footnote { border-top: lpx solid #CCCCCC; } 

.subtable3 .footnote, .subtable .footnote { border-top: lpx solid 

#cccccc; } 

.subtable_frame { background :#D9E3EA; border:lpx solid #CCCCCC; 
margin-bottom :10px; margin-left :15px; } 



.subtabl enframe TD { line-height :l.lem; padding-bottom :3px; 
padding-left:10px; padding-right:15px; padding-top :3px; } 

.subtabl enframe TH { border-bottom :lpx solid #CCCCCC; font- 
weight : normal ; padding-left:10px; line-height :1.6em; } 

.subtablelnnerHead { border-bottom :lpx solid #CCCCCC; border-top :lpx 

solid #CCCCCC; } 

.explainlink { color : #000000; text-decoration: none; 

cursor: hand; } 

.explainlink: hover { color :#0000FF; text-decoration underline; 

} 

.spacer { background transparent; border:lpx solid #6B6BBB ; 
col or :#FFFFFF ; display: block; font-family -.Tahoma; font-size: 100%; height:10px; 
margin-bottom :-lpx; margin-left :43px; margin- right :0px; padding-top: 4px; 
position: relative; } 

.filler { background:transparent; border:none; color :#FFFFFF; 
display: block; font: 100% Tahoma; line-height :8px; margin-bottom :-lpx; margin- 
left :43px; margin-right :0px; padding-top :4px; position: relative; } 

.container { display : block; position: relative; } 

.rsopheader { background-color :#A0BACB; border-bottom: lpx solid 
black; color :#333333; font-family :Tahoma; font-size: 130%; font-weight : bold; padding- 
bottom: 5px; text-align: center; } 

.rsopname { color :#333333; font-family : tahoma; font-size : 130%; font- 
weight: bold; padding-left :llpx; } 

.gponame{ color :#333333; font-family :Tahoma; font-size: 130%; font- 
weight: bold; paddmg-left:llpx; } 

.gpotype{ color :#333333; font-family :Tahoma; font-size: 100%; font- 
weight: bold; paddmg-1eft:llpx; } 

#uri { color:#333333; font-family :Tahoma; font-size: 100%; 
padding-left :llpx; } 

#dtstamp{ color:#333333; font-family :Tahoma; font-size: 100%; 
padding-left:llpx; text-align: left; width: 30%; } 

#objshowhide { color : #000000; cursor:hand; font-family :Tahoma; font- 
size: 100%; font-weight: bold; margin- right :0px; padding- right :10px; text-align: right; 
text-decoration underline; z-index:2; word-wrap: normal ; } 

#gposummary { display: block; } 

#gpoinformation { display : block; } 

©media print { 

#objshowhide{ display : none; } 

body { color: #000000; border:lpx solid #000000; } 
.title { color:#000000; border:lpx solid #000000; } 
.he0_expanded { color : #000000 ; border: lpx solid #000000; } 
.hel_expanded { color : #000000; border: lpx solid #000000; } 



#000000; } 



.hel { color: #000000; border :lpx solid #000000; } 

.he2 { col or: #000000; background :#EEEEEE; border :lpx solid 



.he3 { color: #000000 

.he4 { col or: #000000 

.he4h { col or: #000000 

.he4i { col or: #000000 

.he5 { col or: #000000 
.he5h { col or: #000000 

.he5i { col or: #000000 
} 

v\:* {behavior :url(#default#VML) ;} 



border :lpx solid #000000; } 
border :lpx solid #000000; } 
border :lpx solid #000000; } 
border :lpx solid #000000; } 
border:lpx solid #000000; } 
border :lpx solid #000000; } 
border :lpx solid #000000; } 



</style> 

<!-- script 1 --> 



<script language="vbscript"> 
<! — 



' string "strshowHide(0/l)" 
' 0 = Hide all mode. 
' 1 = Show all mode. 
strShowHide = 1 

'Localized strings 
strshow = "show" 
strHide = "hide" 
strShowAll = "show all" 
strHideAll = "hide all" 
strshown = "shown" 
strHidden = "hidden" 
strExpandoNumPixelsFromEdge = lOpx 

^"^sSecJilnHeldC^^Cooi" className = "heO.expanded") Or (obj.className - 
"hellexpanded") Or (obj.className = "hel") Or (obi .className = "he2") or 
(obiTclassSame - "he3"^ or (obj.className = ;;he4"j or (obj.className = he4h ) Or 
(obj.className = "he5") Or (obj.className = he5h ) 
End Function 

".expanded") 
End Function 

' strstate must be show | hide I toggle 

sub "tsectionstateCobjHeader, jgSgM)^^ ^ ^ ^ ^ >fMp ^ ^ 
obj . 



i = obiHeader .sourcelndex 

Set all = obiHeader. parentElement. document. all 
While (all (i; .className <> "container") 
i = i + 1 

Wend 

Set objContainer = all(i) 

If strstate = "toggle" Then 

If objContainer .style. display = "none" Then 
Setsectionstate objHeader, "show" 

Else 

Setsectionstate objHeader, "hide" 
End If 

Else 

Set objExpando = objHeader .children. item(l) 

If strstate = "show" Then 

objContainer .style. display = "block" 
objExpando. innerText = strHide 

El self strstate = "hide" Then 

objContainer. style. display = "none" 
objExpando. innerText = strShow 
End If 
End If 
End Sub 



Sub ShowSection(objHeader) 

Setsectionstate objHeader, "show" 
End Sub 



Sub HideSection(objHeader) 

Setsectionstate objHeader, "hide" 
End sub 



sub Togglesection(objHeader) 

Setsectionstate objHeader, "toggle" 
End sub 



' when user clicks anywhere in the document body, determine if user is clicking 
' on a header element. 

i _ 

Function document_onclick() 

Set strsrc = wi ndow. event .srcElement 

while (strsrc .className = "sectionTitle" or strsrc. className = "expando" Or 
strsrc. className = "vml image") 

Set strsrc = strsrc. parentElement 

Wend 

' Only handle clicks on headers. 

If Not isSectionHeader(strsrc) Then Exit Function 

ToggleSection strsrc 

window. event . returnValue = False 
End Function 



link at the top of the page to collapse/expand all collapsable elements 



Function objshowhide_ondick() 

Set objBody = document .body .all 
select case strShowHide 
Case 0 

strShowHide = 1 

objshowhide.innerText = strShowAll 
For Each obji In objBody 

if isSectionHeader(obji) Then 
Hidesection obji 

End If 

Next 
case 1 

strShowHide = 0 

objshowhide.innerText = strHideAll 
For Each obji In objBody 

If issectionHeader(obji) Then 
ShowSection obji 

End If 

Next 
End Select 
End Function 



onload collapse all except the first two levels of headers (heO, hel) 



Function window_onload() 

' Only initialize once. The UI may reinsert a report into the webbrowser 
control , 

' firing onLoad multiple times. 

If UCase (document . documentEl ement . getAttri bute("gpmc__reportlni ti al i zed")) <> 
"TRUE" Then 

' initialize sections to default expanded/collapsed state. 
Set objBody = document .body .all 

For Each obji in objBody 

If isSectionHeader(obji) Then 

If isSectionExpandedByDefault(obji) Then 
ShowSection obji 

Else 

Hidesection obji 
End if 
End If 

Next 

objshowhide.innerText = strShowAll 

document. documentEl ement. setAttribute "gpmc_reportlnitialized" , "true" 
End If 
End Function 



* when direction (LTR/RTL) changes, change adjust for readability 

i m _ _ ._ _ — — — ~— == — — — — — — — — — — — — — — rnrn: 

Function document_onPropertyChange() 

If wi ndow. event .propertyName = "dir" Then 
Cal 1 f DetDi r (UCase (document .dir)) 



End If 
End Function 
Function fDetDi r(strDi r) 

strDir = UCase(strDir) 

Select Case strDir 
Case "LTR" 

Set col Rules = document .stylesheets (0) . rules 
For i = 0 To col Rules .length -1 

Set nug = col Rules .item(i) 

strclass = nug.selectorText 

If nug.style.textAlign = "right" Then 
nug.style.textAlign = "left" 

End If 

Select Case strclass 
Case "DIV .expando" 

nug. style. Left = "" 

nug. style. right = strExpandoNumPixelsFromEdge 
case "#objshowhide" 

nug.style.textAlign = "right" 
End select 

Next 
Case "RTL" 

Set col Rules = document .stylesheets (0) . rules 
For i = 0 To col Rules. length -1 

Set nug = colRules .item(i) 

strclass = nug.selectorText 

If nug.style.textAlign = "left" Then 
nug.style.textAlign = "right" 

End If 

Select Case strclass 
Case "DIV .expando" 

nug. style. Left = StrExpandoNumPixelsFromEdge 
nug. style. right = "" 
case "#objshowhide" 

nug.style.textAlign = "left" 
End Select 

Next 
End select 
End Function 



'When printing reports, if a given section is expanded, let's says "shown" (instead 
of "hide" in the UI) . 

Function window_onbeforeprint() 
For Each obji in document. all 

If obji .className = "expando" Then 

If obji . innerText = strHide Then obji . innerText = strShown 
If obji .innerText = strshow Then obii .innerText = strHidden 
End If 

Next 
End Function 



[If a section is collapsed, change to "hidden" in the printout (instead of "show"). 

Function window_onafterprint() 
For Each obji In document. all 

If obji .className = "expando" Then 

If obji .innerText = strShown Then obii .innerText = strHide 
If obji .innerText = strHidden Then obji .innerText = strshow 
End If 

Next 
End Function 



I Adding keypress support for accessibility 

Function document_onKeyPress() 

If window. event .keyCode = "32" Or wi ndow. event .keyCode = "13" Or 
wi ndow. event. keyCode = "10" Then 'space bar (32) or carriage return (13) or line 
feed (10) 

If wi ndow. event .srcElement .className = "expando" Then Call 
document_onclick() : window. event . returnValue = false 

If window. event .srcElement. className = "sectionTitle" Then Call 
document_onclick() : wi ndow. event . returnvalue = false 

If window. event .srcElement .id = "objshowhide" Then Call 
objshowhide_onClick() : wi ndow. event . returnValue = false 

End If 
End Function 

— > 

</script> 

<!-- Script 2 --> 

<scri pt 1 anguage=" javascri pt "> 
<!-- 

f unct i on get Expl ai nwi ndowTi tl e () 

retu rn document . getEl ementByid ("expl ai nText_wi ndowTi tl e") . i nne rHTML ; 



unct i on get Expl ai nwi ndowstyl es () 

return document . getEl ementByld("expl ai nText_wi ndowstyl es") . i nnerHTML ; 



f uncti on getExpl ai nwi ndowsetti ngPathLabel () 

return document . getEl ementByld("expl ai nText_setti ngPathLabel ") . i nnerHTML ; 



f uncti on getExpl ai nwi ndowExpl ai nText Label () 

return document . getEl ementByld("expl ai nText_expl ai nTextLabel ") . i nnerHTML ; 



f uncti on getExpl ai nwi ndowPri ntButton () 

return document .getEl ementByid ("expl ainText_pri ntButton") .i nnerHTML; 



uncti on getExpl ai nwi ndowcl oseButton () 

return document . getEl ementByld("expl ai nText_cl oseButton") . i nnerHTML ; 



f uncti on getNoExpl ai nTextAvai 1 abl e () 
return 

document . getEl ementByid ("expl ai nText^noExpl ai nTextAvai 1 abl e") . i nnerHTML ; 



function getExpl ai nwi ndowSupportedLabel () 

return document . getEl ementByld("expl ai nText_supportedLabel ") . i nnerHTML ; 



f unct i on getNoSupportedTextAvai 1 abl e () 
return 

document . get El ementByld("expl ai nText_noSupportedTextAvai 1 abl e") . i nnerHTML ; 



f unct i on showExpl ai nText (s rcEl ement) 

var strSettingName = srcEl ement .getAttribute("gpmc_settingName") ; 
var strSettingPath = srcEl ement .getAttribute("gpmc_settingPath") ; 
var strSettingDescription = srcEl ement .getAttributeC'gpmc^settingDescription") ; 

if (strSettingDescription == "") 

strSettingDescription = getNoExplainTextAvailable() ; 



var strsupported = srcEl ement .getAttribute( ,, gpmc_supported ,, ) ; 
if (strsupported == "") 

strsupported = getNoSupportedTextAvailable() ; 



var strHtml = "<html>\n" ; 
strHtml += "<head>\n" ; 

strHtml += "<title>" + getExplainWindowTitle() + "</title>\n" ; 
strHtml += n <style type=' text/ess 1 >\n" + getExplainWindowStyles() + 
"</style>\n"; 

strHtml += "</head>\n" ; 
strHtml += "<body>\n"; 

strHtml += "<div class= , head'> M + strSettingName +"</div>\n"; 

strHtml += M <div class= , path , xb> M + getExplainWindowSettingPathLabel () + 
"</bxbr/>" + strSettingPath + M </div>\n M ; 

strHtml += "<div class=' path , xb>" + getExplainWindowSupportedLabel () + 
"</bxbr/>" + strsupported +"</div>\n" ; 

strHtml += "<div class=' info f >\n n ; 

strHtml += u <div class=' hdr ! > n + getExplainWindowExplainTextLabel () + 
"</div>\n"; 

strHtml += "<div class= , bdy , > u + strSettingDescription + "</div>\n" ; 

strHtml += "<div class= , btn , >"; 

strHtml += getExplainWindowPrintButton() ; 

strHtml += getExplainWindowCloseButtonO ; 

strHtml += rf </divx/bodyx/html>" ; 

var strDiagArgs = "height=360px, width=630px, status=no, toolbar=no, 
scroll bars=yes, resizable=yes " ; 

var expwin = window, open ( ,,M , "expWin" , strDiagArgs); 

expWin. document .write( ,r ") ; 

expwi n . document . cl ose () ; 

expwin .document .write (strHtml) ; 

expwi n . document . cl ose () ; 

expwi n.focus() ; 

//cancels navigation for IE. 

if (navigator .userAgent .indexof ( n MSIE M ) > 0) 

window. event . returnValue = false; 

} 

return false; 



</script> 

</head> 

<body> 

<!-- HTML resources --> 
<div style="display:none;"> 

<div id="explainText_windowTitle">Group Policy Management</di v> 

<di v i d="expl ai nText_wi ndowstyl es"> 

body { font-size: 68%; f ont-f ami ly:Tahoma; 
margin:0px f 0px,0px,0px; border: lpx solid #666666; background :#F6F6F6; width:100%; 
word-break : normal ; word-wrap: break-word; } 

.head { font-weight : bold; font-size: 160%; font- 
family :Tahoma; width:100%; color :#6587DC; background :#E3EAF9; border: lpx solid 
#5582D2; padding-left :8px; height:24px; } 

.path { margin-left: lOpx; margin-top: lOpx; margin- 

bottom:5px;width:100%; } 

.info { paddi ng-1 eft :10px; width: 100%; } 

table { font-size: 100%; width:100%; border:lpx solid 

#999999; } 

th { border-bottom: lpx solid #999999; text- 
align: left; paddi ng-1 eft :10px; height :24px; } 

td { background:#FFFFFF; padding-left :10px; padding- 
bottom: lOpx; paddi ng-top:10px; } 

,btn { width: 100%; text-align: right; margin-top: 16px; } 

.hdr { font-weight: bold; border:lpx solid #999999; 
text-align: left; padding-top: 4px; padding-left :10px; height :24px; margin-bottom: - 
lpx; width: 100%; } 

.bdy { width:100%; height :182px; display : block; 
overflow: scroll ; z-index:2; background:#FFFFFF; padding-left :10px; padding- 
bottom: lOpx; paddi ng-top:10px; border: lpx solid #999999; } 

button { width:6.9em; height :2 .lem; font-size: 100%; 
font-family :tahoma; margin-right:15px; } 

©media print { 

.bdy { display: block; overflow: visible; } 

button { display: none; } 

.head { color : #000000; background :#FFFFFF; 

border: lpx solid #000000; } 

} 



</div> 

<div id="explainText_settingPathl_abel">Setting Path:</div> 
<di v i d="expl ai nText_expl ai nTextLabel ">Expl anati on</di v> 
<div id= M explainText_printButton n > 
<button name="Print" onClick="window.printO" 
accesskey= M P"><u>P</u>rint</button> 



</div> 

<div id="explainText_closeButton"> 
<button name="Close" onClick="window.close() 
accesskey="C"xu>C</u>lose</button> 

<div V id= ,, exp1ainText_noExplainTextAvaiTable">No explanation is available for 

this set ^J"3'^fngJ pn a i nT ext_supportedLabel">Supported on:</div> 

<div id="explainText_nosupportedTextAvai Table >Not avail able</div> 
</divxtable class= title" cellpadding="0" cellspacing= '0 > _ 
<trxtd colspan="2" class="gponame">LightlyManaged user settmgs</tdx/tr> 

<td id="dtstamp">Data collected on: 6/27/2003 4:33:29 PM</td> 

<tdxdiv id="objshowhide" tabindex="0"x/divx/td> 
</tr> 
</table> 

SJiv" clSS"So!S5SSed"xspan class="sectionTitle" tabindex="0">General</spanxa 

class="expando" href= H #"x/ax/div> .... 

<div class="container"xdiv class="hel"xspan class= sectionTitle 

tabindex="0">Details</spanxa class="expando href= # ></|></div> 

<div class="container"xdiv class="he4i"xtable class="info cellpaddmg= 0 

cellspacing="0'*> , , . . . 

<trxtd scope="row">Domain</tdxtd>gpmcdemo.com</tdx/tr> 
<trxtd scope="row">Owner</tdxtd>GPMCDEMO\Domain Admins</tdx/tr> 
<trxtd scope="row">created</tdxtd>4/10/2003 2:28:48 PM</td></tr> 
<trxtd scope= ,, row">Modified</tdxtd>4/10/2003 2:30:34 PM</tdx/tr> 
<trxtd scope="row">User Revisions</tdxtd>l (AD), 1 (sysyol)</tdx/tr> 
<trxtd scope="row">Computer Revisions</tdxtd>l (AD), 1 (sysvol)</tdx/tr> 
<trxtd scopW'row'^Unique lD</tdxtd>{B8523A61-8642-4913-8B00- 

<t^<td 6 scope="row">GPO status</tdxtd>Computer settings disabled</tdx/tr> 
</tablex/divx/div> 

<div class="hel"xspan class="sectionTitle" tabindex="0">Links</spanxa 
class="expando" href="#"x/ax/div> , ,, ... „ n ,. 

<div class="container"xdiv class="he4i"xtable class="mfo3 cellpadding= 0 
cellspacing="0"xtrxth scope= ,, col">Location</thxth scope="col •>Enforced</thxth 
scope="cor>Link status</thxth scope="col">Path</th></tr> 
<tr><td> Lightly Managed</tdxtd>No</tdxtd>Enabled</tdxtd>GPMCDemo. com/ Corp 
Headquarters/User Accounts/Lightly Managed</tdx/tr> 

<br/>This list only includes links in the domain of the GPO.</divx/div> 

<t\l cl!Is="herx^^ tabindex="0">security Filtering</spanxa 

class="expando" href ="#"></ ax/div> .... n -i,, 

<div class="container"xdiv class="he4i "><b>The settings in this GPO can only apply 

to the following groups, users, and computers :</bx/div> 

<div class="he4i ,, > „, . <tn1l 

<table class="info" cellpadding= ,, 0" cellspacmg= 0 > 

<trxth scope="col ">Name</thx/trxtrxtd>NT AUTHORiTY\Authenti cated 

users</tdx/trx/table> 

</div> 

</div> 

^div class="herxspan d class= M section tabindex="0">WMl Filtering</spanxa 

class="expando" href ="#"></ ax/div> ...... „ 1lMlH{nfl .. n .. 

<div class="container"xdiv class="he4i"xtable class=' info cellpaddmg= 0 

<trxtd C scope=''row"><b>WMl Filter Name</bx/tdxtd>None</td></tr> 
<trxtd scope=" row"xb>Descri pti on</bx/tdxtd>Not appl i cabl e</tdx/tr> 



</tabl ex/di vx/di v> 

<div class= ,, filler ,, x/div> 

<div class="hel"xspan class="sectionTitle" tabindex="0">Delegation</spanxa 
class="expando" href= ,, #"x/ax/div> 

<div class= ll container ,, xdiv class="he4i "xb>These groups and users have the 
specified permission for this GPO</bx/div> 
<div class= M he4i n > 

<table class="info3" cell paddinq="0" cellspacing= ,, 0 ,, > 

<trxth scope="col">Name</thxth scope="cor'>Al Towed Permissions</thxth 
scope="col M >lnherited</thx/tr> 

<trxtd>GPMCDEMO\Delegated Admins</tdxtd>Edit settings, delete, modify 
security</tdxtd>No</tdx/tr> 

<trxtd>GPMCDEMO\Domain Admins</tdxtd>Edit settings, delete, modify 
security</tdxtd>No</tdx/tr> 

<trxtd>GPMCDEMO\Enterprise Admins</tdxtd>Edit settings, delete, modify 
security</tdxtd>No</tdx/tr> 

<trxtd>NT AUTHORITY\Authenticated users</tdxtd>Read (from Security 
Fi 1 teri ng) </tdxtd>No</tdx/t r> 

<trxtd>NT AUTHORITY\ENTERPRISE DOMAIN C0NTR0LLERS</tdxtd>Read</tdxtd>NO</tdx/tr> 
<trxtd>NT AUTHORITY\SYSTEM</tdxtd>Edit settings, delete, modify 
security</tdxtd>No</tdx/tr> 
</table> 

</di vx/di vx/di v> 

<div class=' , filler ,, x/div> 

</div> 

<div class="heO_expanded"xspan cl ass="sectionTitl e" tabindex="0">Computer 
Configuration (Disabl ed)</spanxa class="expando" href="#"x/ax/div> 
<div class="container"xdiv class="he4i M >No settings defined.</di vx/di v> 
<div class= l, filler ,, x/div> 

<div class="heO_expanded"xspan class="sectionTitle" tabindex="0 M >User configuration 
(Enabled)</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="hel_expanded"xspan class="sectionTitle" 
tabindex="0">windows settings</spanxa class="expando" href="# ,, x/ax/div> 
<div class="container ,, xdiv class="he2"xspan class="sectionTitle M 
tabindex= ,, 0 M >Security Settings</spanxa class="expando" href= ,, #"x/ax/di v> 

<div class="container M xdiv class="he3 M xspan class= n sectionTitle" 
tabindex="0">Public Key Pol icies/Autoenrollment Settings</spanxa class=' , expando M 
href= ,, # ,, x/ax/div> 

<div class= n container u xdiv class="he4i ,, xtable class= ,, info ,, cellpadding="0 M 
cellspacing= n O n > 

<t rxth scope= n col n >Pol i cy</thxth scope= u col ">setti nq</thx/t r> 

<t rxtd>Enrol 1 ce rti f i cates automati ca 1 1 y</tdxtd>Enabl ed</tdx/t r> 

<trxtd colspan= n 2 n xtable class="subtab Ie3" cellpadding= ,, O n cellspacing="0 M > 

<trxtd scope="row">Renew expired certificates, update pending certificates, and 

remove revoked certificates</tdxtd>Disabled</tdx/tr> 

<trxtd scope= n row">Update certificates that use certificate 

tempi ates</tdxtd>Disabled</tdx/tr> 

</tabl ex/tdx/t rx/tabl e> 

</di vx/di vx/di vx/di vxdiv class= ,, filler"x/div> 

<div class="hel_expanded ,f xspan class="sectionTitle" tabindex= M O n >Administrative 

Tempi ates</spanxa class="expando" href= ,, # ,, x/ax/div> 

<div class= ,, container"xdiv class= ,, he3"xspan class="sectionTitle M 

tabindex="0">Control Panel </spanxa class="expando" href= n # n x/ax/div> 

<div class="container M xdiv class= M he4i "xtable class= ,, info" cellpadding="0" 

cellspacing= M 0"> 

<trxth scope="col ">Pol i cy</thxth scope= n col ">Setti ng</thx/tr> 
<trxtdxa cl ass="expl ai nl i nk" href=" iavascri pt : voi d() ; " 

onclick="javascript :showExplainText(tnis) ; return false;" gpmc_settingName= M Show 
only specified Control Panel applets" gpmc_settingPath="user 

Configuration/Administrative Templates/Control Panel" gpmc_settingDescription="Hides 
all control Panel items and folders except those specified in this 
setting. &lt ;br/>&lt ;br/>This setting removes all Control Panel items (such as 
Network) and folders (such as Fonts) from the Control Panel window and the Start 



menu. It removes Control Panel items you have added to your system, as well the 
Control Panel items included in windows 2000 and Windows XP Professional. The only 
items displayed in control Panel are those you specify in this 

setting. &lt ;br/&gt ;&lt ;br/&gt ;To display a Control Panel item, type the file name of 
the item, such as Ncpa.cpl (for Network). To display a folder, type the folder name, 
such as Fonts. <br/><br/> This setting affects the Start menu and Control 
Panel window only. It does not prevent users from running any Control Panel 
i terns. <br/><br/> Also, see the &quot ; Remove Display in control 
Panel &quot; setting in User Configuration\Administrati ve Temp I ates\Control 
Panel\Display.&lt ;br/&gt ;&lt ;br/>lf both the &quot ;Hide specified Control 
Panel applets&quot ; setting and the &quot ;Show only specified Control Panel 
applets&quot ; setting are enabled, the &quot ;Show only specified control 
Panel applets&quot ; setting is ignored. &lt ;br/&gt ;&lt ;br/&gt ;Tip: To find the 
file name of a Control Panel item, search for files with the .cpl file name 
extension in the %Systemroot%\System32 directory." gpmc_supported="At least 
Microsoft Windows 2000">show only specified Control Panel 
appl ets</ax/tdxtd>Enabl ed</tdx/t r> 

<trxtd colspan="2"xtable class="subtable_f rame" cellpadding= M 0 M cellspacing="0"> 

<trxtd colspan="2"xtable class=' , subtable" cell padding="0" cellspacing="0"> 

<trxth scope="col">List of allowed Control Panel applets</thx/tr> 

<t rxtd>access . cpl </tdx/tr> 

<trxtd>appwi z . cpl </tdx/t r> 

<trxtd>desk . cpl </tdx/t r> 

<t rxtd>mai n .cpl </tdx/t r> 

</tablex/tdx/trxtrxtd col span="2">To create a list of allowed Control Panel 
applets, click show, </tdx/trxtrxtd colspan="2">then Add, and enter the Control 
Panel file name (ends with .cpl)</tdx/trxtrxtd colspan="2">or the name displayed 
under that item in the Control Panel ,</tdx/trxtrxtd colspan= ,, 2">(e.g. , desk. cpl, 
powercfg.cpl , Printers) </tdx/trx/tablex/tdx/trx/table> 
</divx/divxdiv class= ,, he3"xspan class= M sectionTitle" tabindex="0">Control 
Panel/Add or Remove Programs</spanxa class="expando M href="#"x/ax/div> 
<div class="container"xdiv class="he4i"xtable class="info" cell padding="0" 
cellspacing= ,, 0"> 

<trxth scope="col ">Pol icy</thxth scope="col ">Setti ng</thx/tr> 
<trxtdxa class="explainl ink" href=" javascript :void() ;" 

oncl ick=" javascri pt : showExpl ai nText (thi s) ; return f al se ; " gpmc_setti ngName="Hi de 
Add/Remove windows Components page" gpmc_settingPath="User 
Configuration/Administrative Templates/Control Panel /Add or Remove Programs" 
gpmc_settingDescription="Removes the Add/Remove Windows Components button from the 
Add or Remove Programs bar. As a result, users cannot view or change the associated 
page. &1 t ; br/&gt ;&Tt ; br/&gt ; The Add/Remove Windows Components button lets users 
configure installed services and use the windows Component Wizard to add, remove, 
and configure components of windows from the installation 

files.&lt ;br/&gt ;&lt ;br/&gt ;lf you disable this setting or do not configure it, the 
Add/Remove Windows Components button is available to all 

users. &lt ;br/&gt ;&lt ;br/&gt ;This setting does not prevent users from using other 
tools and methods to configure services or add or remove program components. 
However, this setting blocks user access to the windows Component Wizard." 
gpmc_supported="At least Microsoft Windows 2000">Hide Add/Remove windows Components 
page</ax/tdxtd>Enabl ed</tdx/tr> 

<trxtdxa class= ,, explainlink" href=" javascript :void() ;" 

oncl ick="javascript: showExpl ai nText (this) ; return false;" gpmc_settingName="Hide the 
&quot ;Add a program from CD-ROM or floppy disk&quot ; option" 
gpmc_settingPath="user Configuration/Administrative Templates/Control Panel/Add or 
Remove Programs" gpmc_.settingDescription="Removes the &quot ;Add a program from 
CD-ROM or floppy disk&quot ; section from the Add New Programs page. This 
prevents users from using Add or Remove Programs to install programs from removable 
media.&lt ;br/&gt ;&lt ;br/&gt ;lf you disable this setting or do not configure it, the 
&quot ;Add a program from CD-ROM or floppy disk&quot ; option is available to 
all users. <br/&gt ;&lt ;br/&gt ;This setting does not prevent users from using other 
tools and methods to add or remove program components. &lt ;br/&gt ;&lt ;br/> Note: if 
the &quot ;Hide Add New Programs page&quot ; setting is enabled, this setting 
is ignored. Also, if the &quot; Prevent removable media source for any 
install &quot ; setting (located in User Configuration\Administrative 



Tempi ates\Wi ndows Components\windows Installer) is enabled, users cannot add 
programs from removable media, regardless of this setting." gpmc_supported="At least 
Microsoft Windows 2000">Hide the "Add a program from CD-ROM or floppy 
di sk&quot ; option</ax/tdxtd>Enabl ed</tdx/t r> 
<trxtdxa class="explainlink" href =" -javascript : void() ; " 

onclick= H javascript:showExplainText(this); return false;" gpmc_settingName="Hide the 
&quot;Add programs from Microsoft&ampjquot ; option" gpmc_settingPath="User 
Configuration/Administrative Templates/control Panel/Add or Remove Programs" 
gpmc_settingDescription="Removes the &quot ;Add programs from Microsoft&ampjquot • 
section from the Add New Programs page. This setting prevents users from using Add 
or Remove Programs to connect to windows Update. &lt ;br/>&lt ;br/&gt ;lf you disable 
this setting or do not configure it, &quot ;Add programs from Microsoft&quot ; 
is available to all users. <br/><br/>This setting does not prevent users 
from using other tools and methods to connect to windows 
Update. <br/><br/> Note: If the &quot ;Hide Add New Programs 
page&ampjquot ; setting is enabled, this setting is ignored." gpmc_supported="At 
least Microsoft windows 2000">Hide the "Add programs from Microsoft&quot : 
option</ax/tdxtd>Enabled</tdx/tr> 

<trxtdxa class="explainlink" href="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Specify 
default category for Add New Programs" gpmc_settingPath="user 
Configuration/Administrative Templates/Control Panel /Add or Remove Programs" 
gpmc_settingDescription="Specifies the category of programs that appears when users 
open the &quot; Add New Programs&ampjquot ; page.&lt ;br/&gt ;&lt ;br/>lf you 
enable this setting, only the programs in the category you specify are displayed 
when the &quot ;Add New Programs&ampjquot; page opens. Users can use the Category 
box on the &quot ;Add New Programs&quot ; page to display programs in other 
categories.<br/><br/>To use this setting, type the name of a category in 
the category box for this setting. You must enter a category that is already defined 
in Add or Remove Programs. To define a category, use Software 

Installation. &lt ;br/&gt ;&lt ;br/&gt ;lf you disable this setting or do not configure 

it, all programs (Category: All) are displayed when the &quot ;Add New 

Programs&quot; page opens. &lt ;br/&gt ;&lt ;br/&gt ; You can use this setting to 

direct users to the programs they are most likely to 

need.&l t;br/><br/>Note: This setting is ignored if either the 

&quot; Remove Add or Remove Programs&ampjquot; setting or the &quot jHide Add 

New Programs page&ampjquot ; setting is enabled." gpmc_supported="At least Microsoft 

Windows 2000">Specify default category for Add New 

Programs</ax/tdxtd>Enabled</tdx/tr> 

<trxtd colspan="2"xtable class="subtable_f rame" cellpadding="0" cellspacinq=: ,, 0 ,, > 
<trxtd>Category:</tdxtd>Custom Applications</tdx/tr> 
</tabl ex/tdx/trx/tabl e> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Control 

Panel /Display</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info" cellpaddinq="0" 

cellspacing="0"> 

<trxth scope="col ">Pol i cy</thxth scope="col ">Setti ng</thx/t r> 
<trxtdxa class="explain I ink" href="iavascript :void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Hide 
Settings tab 1 gpmc_settingPath="user Configuration/Administrative Templates/Control 
Panel /Display" qpmc_settinqDescription="Removes the Settings tab from Display in 
Control Panel .&lt ; br/&gt ;&Tt j br/> This setting prevents users from using Control 
Panel to add, configure, or change the display settings on the computer." 
gpmc_supported="At least Microsoft windows 2000">Hide Settings 
tab</ax/tdxtd>Enabled</tdx/tr> 

<trxtdxa class="explainlink" href="iavascript : void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Screen 
Saver gpmc_settingPath="User Configuration/Administrative Templates/Control 
Panel /Display" gpmc_settingDescription="Enables desktop screen 

savers. &lt ;br/&gt ;&lt ;br/&gt ;lf you disable this setting, screen savers do not run. 
Also, this settinq disables the Screen Saver section of the Screen Saver tab in 
Display in control Panel. As a result, users cannot change the screen saver 
options.<br/>&ltjbr/>lf you do not configure it, this setting has no effect 
on the system. &lt ;br/&gt ;&lt ;br/&gt ;lf you enable it, a screen saver runs, provided 



the following two conditions hold: First, a valid screensaver on the client is 
specified through the &quot ; Screensaver executable name&quot; setting or 
through control Panel on the client computer, second, the screensaver timeout is set 
to a nonzero value through the setting or control Panel .41 t;br/>&l t:br/&gt: Also 
see the &quot; Hide Screen saver tab&quot; setting." gpmc.supported^At least 
Microsoft Windows 2000 Service Pack l">screen Saver</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:voidO ;" 




ingName="screen 
istrative 

.-... r ■-—•*/ ww..w. v, . r«, lt , / w, J u,ojr yHiiiv._ieLL myuestr iption= bpecines the screen saver 
for the user s desktop. <br/><br/> If you enable this setting, the system 
displays the specified screen saver on the user's desktop. Also, this setting 
disables the drop T down list of screen savers on the screen saver tab in Display in 
Control Panel, which prevents users from changing the screen 
saver. <br/><br/>if you disable this setting or do not configure it, 
users can select any screen saver. <br/><br/>lf you enable this setting, 
type the name of the file that contains the screen saver, including the .scr file 
name extension, if the screen saver file is not in the %Systemroot%\System32 
directory, type the fully qualified path to the file.<br/>&lt:br/>lf the 
specified screen saver is not installed on a computer to which this setting applies 
the setting is ignored.<br/><br/>Note: This setting can be superseded by 
the &quot; Screen Saver&quot; setting, if the &quot; Screen 
Saver&quot; setting is disabled, this setting is ignored, and screen savers do 
not run. gpmc_supported="At least Microsoft Windows 2000 Service Pack l">screen 
Saver executable name</a></tdxtd>Enabled</tdx/tr> 

<trxtd colspan="2"xtable class="subtable_frame" cellpadding="0" cellspacing="0"> 
<trxtd>Screen Saver executable name</tdxtd>scrnsave.scr</tdx/tr> 
</tablex/tdx/trx/table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" 
tahmdex="0">Desktop</spanxa class="expando" href="#"x/ax/div> 
<div class="container"xdiv class="he4i"xtable class="info" cellpaddinq^'O" 
cellspacing= 0 > M 
<trxth scope="col ">Pol icy</thxth scope="col ">Setti ng</thx/tr> 
<trxtdxa class="explain I ink" href="iavascript:void() j" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not 
add shares of recently opened documents to My Network Places" gpmc_settingPath="User 
conti gurati on/Admi m strati ve Tempi ates/Desktop" gpmc_setti ngDescr i ption="Remote 
shared folders are not added to My Network Places whenever you open a document in 
the shared folder. <br/> <br/> if you disable this setting or do not 
configure it, when you open a document in a remote shared folder, the system adds a 
connection to the shared folder to My Network Places .&lt ;br/&gt ;<br/> if you 
enable this setting, shared folders are not added to My Network Places automatically 
when you open a document in the shared folder." gpmc_supported="At least Microsoft 
Windows 2000 >Do not add shares of recently opened documents to My Network 
Pi aces</ax/tdxtd>Enabl ed</tdx/t r> 

<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Prevent 
adding, dragging, dropping and closing the Taskbar's toolbars" 
gpmc_setti ngPath="user Conf i gurati on/Admi nistrati ve Tempi ates/Desktop" 
gpmc settingDescription="Prevents users from manipulating desktop 
toolbars. <br/><br/>lf you enable this setting, users cannot add or 
remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of 
docked toolbars. <br/><br/>Note: if users have added or removed toolbars, 
this setting prevents them from restoring the default 

configuration. <br/><br/>Tip: To view the toolbars that can be added to 
the desktop, right-click a docked toolbar (such as the taskbar beside the Start 
button), and point to &quot;Toolbars.&quot;<br/><br/&gt ;Also, see 
the &quot; Prohibit adjusting desktop toolbars&ampjquot; setting." 
gpmc_supported="At least Microsoft windows 2000">Prevent adding, dragging, dropping 
and closing the Taskbar's tool bars</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:voidO ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prohibit 
user from changing My Documents path" gpmc_settingPath="User 

Conf i guration/Admi ni strati ve Tempi ates/Desktop" gpmc_setti ngDescri ption="Prevents 



users from changing the path to the My Documents folder .<br/&gt ;<br/&gt ; By 
default, a user can change the location of the My Documents folder by typing a new 
path in the Target box or the My Documents Properties dialog 

box.<br/&gt ;&lt ;br/&qt ;If you enable this setting, users are unable to type a new 
location in the Target box." gpmc_supported="At least Microsoft Windows 
2000">Prohibit user from changing My Documents path</ax/tdxtd>Enabled</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Network/Network 
Connections</spanxa class= ,, expando" href="#"x/ax/di v> 

<div class= M container n xdiv class="he4i"xtable class="info" cell paddinq= M 0 ,, 
cellspacing="0"> y 
<trxth scope="col">Policy</thxth scope="col ">Setting</thx/tr> 
<trxtdxa class="explainlink" href="iavascri>t:voidQ ;" 

one! ick= M javascript:showExplainText (this) ; return false;" gpmc_settingName="Prohibit 
access to the Advanced Settings item on the Advanced menu" gpmc_settingPath="user 
Configuration/Administrative Templates/Network/Network Connections" 
gpmc_settingDescription="Determines whether the Advanced Settings item on the 
Advanced menu in Network Connections is enabled for 

administrators. <br/&gt ;&lt ;br/>The Advanced Settings item lets users view and 
change bindings and view and change the order in which the computer accesses 
connections, network providers, and print providers. &lt ;br/&gt ;&lt ;br/&gt ;lf you 
enable this setting (and enable the &quot; Enable Network Connections settings 
for Administrators&quot ; setting), the Advanced Settings item is disabled for 
administrators. <br/><br/> Important: if the &quot; Enable Network 
Connections settings for Administrators&quot ; is disabled or not configured, 
this settinq will not apply to administrators on post-windows 2000 
computers. <br/><br/> If you disable this settinq or do not configure it, 
the Advanced Settings item is enabled for administrators. <br/><br/>Note: 
Nonadministrators are already prohibited from accessing the Advanced Settings dialog 
box, regardless of this setting." gpmc_supported="At least Microsoft windows 2000 
Service Pack l">Prohibit access to the Advanced Settings item on the Advanced 
menu</ax/tdxtd>Enabl ed</tdx/t r> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Network/offline 
Files</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i "xtable class="info" cell padding="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">setting</thx/tr> 
<trxtdxa class="explainl ink" href="iavascript:void() ;" 

one! ick=" javascript :showExplainText(this) ; return false;" gpmc_settinqName=" Prevent 
use of offline Files folder" gpmc_settingPath="user Configuration/Administrative 
Templates/Network/Offline Files" gpmc_settingDescription= Disables the offline Files 
folder. <br/><br/>This settinq disables the &quot ;View 
Files&quot; button on the offline Files tab. As a result, users cannot use the 
Offline Files folder to view or open copies of network files stored on their 
computer. Also, they cannot use the folder to view characteristics of offline files, 
such as their server status, type, or location.<br/><br/>This setting 
does not prevent users from working offline or from saving local copies of files 
available offline. Also, it does not prevent them from using other programs, such as 
Windows Explorer, to view their offline files .&lt ;br/&gt ;<br/&gt ;This setting 
appears in the Computer Configuration and User Configuration folders. If both 
settings are configured, the settinq in computer Configuration takes precedence over 
the setting in User configuration. &Tt ;br/><br/&gt ;Tip: To view the offline 
Files Folder, in windows Explorer, on the Tools menu, click Folder options, click 
the Offline Files tab, and then click &quot ; View Files .&quot ; " 

pmc_supported="At least Microsoft windows 2000">Prevent use of offline Files 

ol der</ax/tdxtd>Enabl ed</tdx/t r> 
<trxtdxa class="explainl ink" href="iavascript:void() ;" 

onclick="javascript :showExplainText(this) ; return false;" gpmc_settingName="Prohibit 
user configuration of offline Files" gpmc_settingPath="user 
conf i gurati on/Admi ni strati ve Tempi ates/Network/Of f 1 i ne Fi 1 es" 

gpmc_settingDescription="Prevents users from enabling, disabling, or changing the 
configuration of offline Files. &lt ;br/&gt ;&lt ;br/&gt ;This setting removes the 
Offline Files tab from the Folder Options dialog box. It also removes the settings 



item from the offline Files context menu and disables the Settings button on the 
Offline Files Status dialog box. As a result, users cannot view or change the 
options on the Offline Files tab or offline Files dialog 

box. <br/>&lt ;br/&qt; This is a comprehensive setting that locks down the 
configuration you establish by using other settings in this 

folder. &lt ;br/&gt ;&lt ;br/>This setting appears in the Computer Configuration and 
user Configuration folders, if both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 

Configuration. <br/&qt;<br/>Tip: This setting provides a quick method for 
locking down the default settings for offline Files. To accept the defaults, just 
enable this setting. You do not have to disable any other settings in this folder. " 
gpmc_supported="At least Microsoft windows 2000">Prohibit user configuration of 
Offline Files</a></tdxtd>Enabled</tdx/tr> 

<trxtd colspan="2"xtable class= M subtabl e_frame" cellpadding="0" cellspacing="0"> 
<trxtd colspan="2">Prevents users from changing any cache configuration 
setti nqs . </tdx/trx/tabl ex/tdx/t rxtrxth scope= 'col M >Pol icy</thxth 
scope= col ">Setting</thx/tr> 

<trxtdxa class="explainl ink" href=" javascript : void() ; " 

oncl ick=" javascript : showExpl ai nText (thi s) ; return false;" gpmc_settingName=" Remove 
'Make Available Offline'" gpmc_settingPath="user Configuration/Administrative 
Templates/Network/Offline Files" qpmc_settingDescription="Prevents users from making 
network files and folders available off! ine.<br/><br/> This setting 
removes the &amp ;quot ;Make Available offline&quot ; option from the File menu and 
from all context menus in windows Explorer. As a result, users cannot designate 
files to be saved on their computer for offline use.<br/><br/&qt;However, 
this setting does not prevent the system from saving local copies of files that 
reside on network shares designated for automatic caching. &lt ;br/&gt ;&lt ;br/&gt ;This 
setting appears in the Computer configuration and User configuration folders. If 
both settings are configured, the setting in Computer Configuration takes precedence 
over the setting in User Configuration." gpmc_supported="At least Microsoft windows 
2000">Remove 'Make Available Offline' </ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 
onclick=" javascript :showExplainText(this) ; return false;" 
gpmc_settingName="Synchronize all offline files before logging off" 
gpmc_settingPath="User configuration/Administrative Templates/ Network/Offline Files" 
gpmc_settinqDescription="Determines whether offline files are fully synchronized 
when users Tog off .<br/&qt ;< br/> This setting also disables the 
&quot Synchronize all offline files before logging off&quot ; option on the 
Offline Files tab. This prevents users from trying to change the option while a 
setting controls it.&lt ;br/&gt ;<br/&gt ;lf you enable this setting, offline files 
are fully synchronized. Full synchronization ensures that offline files are complete 
and current. <br/>&lt ;br/&gt ;lf you disable this setting, the system only 
performs a quick synchronization. Quick synchronization ensures that files are 
complete, but does not ensure that they are current .&lt ;br/&qt ;&lt ;br/> If you do- 
not configure this setting, the system performs a quick synchronization by default, 
but users can change this option.<br/><br/>This setting appears in the 
Computer Configuration and User configuration folders. If both settings are 
configured, the setting in Computer Configuration takes precedence over the setting 
in user Configuration .&lt ;br/&gt ;&lt ;br/&gt ;Tip: To change the synchronization 
method without changing a setting, in windows Explorer, on the Tools menu, click 
Folder options, click the Offline Files tab, and then select the 
&quot; Synchronize all offline files before logging off&quot ; option." 
pmc_supported="At least Microsoft windows 2000">Synchronize all offline files 
efore logging off</ax/tdxtd>Enabled</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">start Menu and 
Taskbar</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i "xtable class="info" cellpaddinq="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Add 
Logoff to the Start Menu" gpmc__settingPath="user Configuration/Administrative 
Templates/Start Menu and Taskbar" gpmc_settingDescription="Adds the &quot;Log 



Off &lt;username&gt;&quot; item to the Start menu and prevents users 
from removing it.<br/><br/>if you enable this setting, the Log off 
&lt;username&gt ; item appears in the start menu. This setting also removes 
the Display Logoff item from Start Menu options. As a result, users cannot remove 
the Loq off &lt ;username&gt ; item from the Start 

Menu.&Tt;br/><br/&qt ;lf you disable this setting or do not configure it, users 
can use the Display Logoff item to add and remove the Log off 

item.<br/><br/>This setting affects the Start menu only. It does not 
affect the Log off item on the Windows Security dialog box that appears when you 
press Ctrl+Alt+Del .<br/><br/>Note: To add or remove the Log off item on 
a computer, click start, click Settings, click Taskbar and Start Menu, click the 
Start Menu options tab, and then, in the Start Menu Settings box, click Display 
Logoff .< br/>< br/> Also, see &quot; Remove Logoff&quot ; in User 
Configuration\Admini strati ve Tempi ates\System\Logon/Logoff . " gpmc_supported="At 
least Microsoft Windows 2000">Add Logoff to the Start 
Menu</ax/tdxtd>Enabled</tdx/tr> 

<t rxtdxa cl ass="expl ai nl i nk" href="iavascri pt : voi d() ; ,f 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Force 
classic start Menu" gpmc_settingPath="user Configuration/Administrative 
Templates/Start Menu and Taskbar" gpmc_settingDescription="This setting effects the 
presentation of the Start menu.&lt ;br/&gt ;&lt ;br/>The classic start menu in 
Windows 2000 Professional allows users to begin common tasks, while the new Start 
menu consolidates common items onto one menu. When the classic Start menu is used, 
the following icons are placed on the desktop: My Documents, My Pictures, My Music, 
My Computer, and My Network Places. The new start menu starts them 
di recti y.<br/&gt ;&lt ;br/&gt ; If you enable this setting, the Start menu displays 
the classic start menu in the windows 2000 style and displays the standard desktop 
icons.<br/><br/>lf you disable this setting, the Start menu only 
displays in the new style, meaning the desktop icons are now on the start 
page.<br/><br/&gt ;lf you do not configure this setting, the default is the 
new style, and the user can change the view." gpmc_supported="At least Microsoft 
Windows XP Professional or windows Server 2003 family">Force classic Start 
Menu</ax/tdxtd>Enabl ed</tdx/tr> 

<t rxtdxa class="explainl ink" href="iavascript :void() ; " 

one! ick="iavascript:showExplainText (this) ; return false;" gpmc_settingName="Gray 
unavailable windows instal ler programs Start Menu shortcuts" qpmc_settingPath="User 
Configuration/Administrative Templates/Start Menu and Taskbar" 
gpmc_settingDescription="Displays Start menu shortcuts to partially installed 
programs in gray text.&lt ;br/&gt ;&lt ;br/&qt;This setting makes it easier for users 
to distinguish between programs that are fully installed and those that are only 
partially installed.&lt ;br/><br/> Parti ally installed programs include those 
that a system administrator assigns using Windows installer and those that users 
have configured for full installation upon first use.&lt ;br/&qt ;&lt ;br/&gt ;lf you 
disable this setting or do not configure it, all Start menu shortcuts appear as 
black text.<br/><br/&qt;Note: Enabling this setting can make the Start menu 
slow to open." gpmc_supported= At least Microsoft Windows 2000">Gray unavailable 
Windows Installer programs Start Menu shortcuts</ax/tdxtd>Enabled</tdx/tr> 
<t rxtdxa class="explainlink" href=" javascript :void() ; " 

one! ick="javascript :showExplainText (this) ; return false;" gpmc_settingName="Remove 
links and access to windows Update" gpmc_settingPath="user 
Configuration/Administrative Templates/Start Menu and Taskbar" 

gpmc_settingDescription="Prevents users from connecting to the Windows Update Web 
site.<br/&gt ;<br/&gt ;This setting blocks user access to the Windows Update Web 
site at http://windowsupdate.microsoft.com. Also, the setting removes the Windows 
Update hyperlink from the Start menu and from the Tools menu in Internet 
Explorer. <br/><br/> Windows Update, the online extension of windows, 
offers software updates to keep a user's system up-to-date. The windows Update 
Product Catalog determines any system files, security fixes, and Microsoft updates 
that users need and shows the newest versions available for 
download.<br/><br/>Also, see the &quot ;Hide the &quot ; Add 

?rograms from Microsoft&quot ; option&quot ; setting." gpmc_supported="At 
east Microsoft Windows 2000 >Remove links and access to Windows 
Update</ax/tdxtd>Enabled</tdx/tr> 



<trxtdxa class="explainlink" href="iavascript :void() ;" 

onclick="javascri>t:showExplainText(this) ; return false;" gpmc_setti ngName=" Remove 
Network connections from Start Menu" gpmc_settingPath="user 
Configuration/Administrative Templates/Start Menu and Taskbar" 
gpmc_settingDescription="Prevents users from running Network 

Connections. &lt ;br/&gt ;&lt ;br/&gt ;This setting prevents the Network Connections 
folder from opening. This setting also removes Network Connections from Settings on 
the Start menu.&lt ;br/&gt ;&lt ;br/&gt ; Network Connections still appears in Control 
Panel and in Windows Explorer, but if users try to start it, a message appears 
explaining that a setting prevents the action. &lt ;br/&gt ;&lt ;br/>Also, see the 
&quot; Disable programs on Settings menu&quot ; and &quot; Disable Control 
Panel &quot; settings and the settings in the Network Connections folder 
(Computer Configuration and User Configuration\Administrative 

Tempi ates\Network\Network Connections)." gpmc_supported="At least Microsoft windows 
2000">Remove Network Connections from Start Menu</ax/tdxtd>Enabled</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabi ndex="0">System</spanxa 
class="expando" href= ,, # ,, x/ax/div> 

<div class= ,, container ,, xdiv class="he4i"xtable class="info" cellpadding="0" 
cellspacing= ,, O u > 

<t rxth scope="col ">Pol i cy</thxth scope="col ">setti ng</thx/t r> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 

one! ick="javascript:showExplainText (this) ; return false;" gpmc_settingName="Don't 
display the Getting started welcome screen at logon" gpmc_setti ngPath="User 
Configuration/Administrative Templates/System" gpmc_settingDescription="Supresses 
the welcome screen. <br/><br/>This setting hides the welcome screen that 
is displayed on Windows 2000 Professional and Windows XP Professional each time the 
user logs on.&lt ;br/><br/> users can still display the welcome screen by 
selecting it on the Start menu or by typing &quot ;Welcome&quot ; in the Run 
dialog box. <br/><br/> This setting applies only to Windows 2000 
Professional and windows XP Professional, it does not affect the &quot ;Configure 
Your Server on a windows 2000 Server&quot ; screen on Windows 2000 
server. &lt ;br/&gt ;&lt ;br/&qt ;Note: This setting appears in the Computer 
Configuration and user Configuration folders, if both settings are configured, the 
setting in Computer Configuration takes precedence over the setting in User 
configuration. <br/&gt ;&lt ;br/&gt ;Tip: To display the welcome screen, click Start, 
point to Programs, point to Accessories, point to System Tools, and then click 
&quot; Getting Started. &quot; To suppress the welcome screen without 
specifying a setting, clear the &quot ;show this screen at startup&ampjquot ; 
check box on the welcome screen." gpmc_supported="only works on Microsoft windows 
2000">Don , t display the Getting started welcome screen at 
logon</ax/tdxtd>Enabled</tdx/tr> 

<trxtdxa class="explainlink" href=" javascript : void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName=" Prevent 
access to registry editing tools" gpmc_settinqPath="user 

Configuration/Administrative Templates/System gpmc_settingDescription="Di sables the 
windows registry editor Regedit.exe.<br/>&It;br/>lf this setting is enabled 
and the user tries to start a registry editor, a message appears explaining that a 
setting prevents the acti on.&lt ;br/&gt ;&lt ;br/&gt ;To prevent users from using other 
administrative tools, use the &quot ;Run only allowed windows 
applications&quot; setting." gpmc_supported="At least Microsoft Windows 
2000">Prevent access to registry editing tools</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Turn off 
Autoplay" gpmc_settingPath="User Configuration/Administrative Templates/System" 
gpmc_settingDescription="Turns off the Autoplay 

feature.&lt ;br/>&lt ;br/&gt ; Autoplay begins reading from a drive as soon as you 
insert media in the drive. As a result, the setup file of programs and the music on 
audio media start immediately .< br/&gt ;&lt ;br/&gt ;By default, Autoplay is disabled 
on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and 
on network drives. <br/><br/>lf you enable this setting, you can also 
disable Autoplay on CD-ROM drives or disable Autoplay on all 

drives. <br/&gt ;<br/&gt ;This setting disables Autoplay on additional types of 
drives. You cannot use this setting to enable Autoplay on drives on which it is 



disabled by default .<br/&gt ;&lt ;br/&gt ; Note: This setting appears in both the 
Computer Configuration and User Configuration folders, if the settings conflict, the 
setting in Computer Configuration takes precedence over the setting in User 
Configuration. <br/><br/>Note: This setting does not prevent Autoplay for 
music CDs." gpmc_supported="At least Microsoft windows 2000 M >Turn off 
Autopl ay</a></tdxtd>Enabl ed</tdx/t r> 

<trxtd colspan= n 2 n xtable class= M subtabl enframe" cenpadding= M 0 M cellspacing= M 0"> 
<trxtd>Turn off Autoplay on : </tdxtd>All drives</tdx/tr> 
</tabl ex/tdx/t rx/tabl e> 

</divx/divxdiv class= ,, he3 ,, xspan class="sectionTitle" 
tabindex= ,, 0 ,, >system/scripts</spanxa class="expando" href="#"x/ax/div> 
<div class= ,, container ,, xdiv class="he4i"xtable class="info" cell paddinq="0" 
cellspacing= M 0"> 

<trxth scope="col">Policy</thxth scope="col ">setting</thx/tr> 
<trxtdxa class="explain link" href="iavascript:voidQ ;" 

onclick= ,, javascript:showExplainText(this) ; return false; 1 ' gpmc_settingName="Run 
logon scripts synchronously" gpmc_settingPath= n user Configuration/Administrative 
Templates/System/Scripts" gpmc_settingDescription="Di rects the system to wait for 
the logon scripts to finish running before it starts the Windows Explorer interface 
program and creates the desktop. &lt ;br/&gt ;<br/&qt ;lf you enable this setting, 
Windows Explorer does not start until the logon scripts have finished running. This 
setting ensures that logon script processing is complete before the user starts 
working, but it can delay the appearance of the desktop. <br/><br/>lf you 
disable this setting or do not configure it, the logon scripts and windows Explorer 
are not synchronized and can run simultaneously. <br/><br/>This setting 
appears in the Computer Configuration and user Configuration folders. The setting 
set in Computer Configuration takes precedence over the setting set in user 
Configuration." gpmc_supported="At least Microsoft Windows 2000">Run logon scripts 
synchronous! y</ax/tdxtd>Enabl ed</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">System/User 
Profiles</spanxa class= M expando M href="#"x/ax/div> 

<div class= 'container"xdiv class="he4i "xtable class="info" cell paddinq="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thx/tr> 
<trxtdxa class="explain link" href= M iavascript:voidO ;" 

onclick= n javascript:showExplainText(this); return false;" gpmc_settingName="Limit 
profile size gpmc_settingPath="User Configuration/Administrative 
Templates/System/User Profiles" gpmc_settinqDescription="Sets the maximum size of 
each user profile and determines the system r s response when a user profile reaches 
the maximum size.&lt ;br/&gt ;&lt ;br/>lf you disable this setting or do not 
confiqure it, the system does not limit the size of user 
profiles. <br/&gt ;&lt ;br/>lf you enable this setting, you can do the 
following:<br/><br/>-- Set a maximum permitted user profile 
size;<br/&gt ;<br/>-- Determine whether the registry files are included in 
the calculation of the profile size;&lt ;br/&gt ;&lt ;br/&gt ;— Determine whether 
users are notified when the profile exceeds the permitted maximum 
size;<br/&qt ;&lt ;br/&gt ;-- specify a customized message notifying users of the 
oversized profile;&lt ;br/><br/>— Determine how often the customized 
message is displayed. <br/&gt ;<br/>Note: This setting affects both local and 
roaming profiles." gpmc_supported="At least Microsoft windows 2000">Limit profile 
si ze</ax/tdxtd>Enabl ed</tdx/t r> 

<trxtd colspan="2"xtable class="subtable_f rame" cellpadding="0" cellspacing="0"> 
<trxtd>Custom Message</tdxtd>You have exceeded your profile storage space. Before 
you can log off, you need to move some items from your profile to network or local 
storage .</tdx/tr> 

<trxtd>Max Profile size (KB)</tdxtd>30000</tdx/tr> 
<trxtd>lnclude registry in file 1 ist</tdxtd>Disabled</tdx/tr> 
<trxtd>Notify user when profile storage space is 
exceeded . </tdxtd>Enabl ed</tdx/t r> 

<trxtd>Remind user every X minutes:</tdxtd>15</tdx/tr> 
</tabl ex/tdx/t rx/tabl e> 

</divx/divxdiv cl ass="he3"xspan class="sectionTitle" tabindex="0">windows 
components/internet Explorer</spanxa class="expando" href="#"x/ax/div> 



<div class="container"xdiv class="he4i"xtable class="info" cell padding="0" 
cellspacing="0"> 

<trxth scope="col ">Pol icy</thxth scope="col ">Setti ng</thx/tr> 
<trxtdxa class="explainlink" href="iavascript :voidQ; " 

onclick="javascript:showExplainText(tfiis) ; return false;" gpmc_settingName="Di sable 
changing Advanced page settings" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/Internet Explorer" gpmc_settingDescription="Prevents 
users from changing settings on the Advanced tab in the internet Options dialog 
box.<br/><br/>lf you enable this policy, users are prevented from 
changing advanced Internet settings, such as security, multimedia, and printing. 
Users cannot select or clear the check boxes on the Advanced 

tab.<br/><br/>lf you disable this policy or do not configure it, users 
can select or clear settings on the Advanced tab.&lt ;br/&gt ;&lt ;br/&gt ;if you set 
the &quot; Disable the Advanced page&quot ; policy (located in \user 
Configuration\Administrative Tempi ates\Windows Components\lnternet Explorer\lnternet 
Control Panel), you do not need to set this policy, because the &quot; Disable 
the Advanced paqe&quot ; policy removes the Advanced tab from the interface." 
gpmc_supported= at least Internet Explorer v5 .01">Disable changing Advanced page 
setti ngs</ax/tdxtd>Enabl ed</tdx/t r> 
<trxtdxa class="explainl ink" href=" javascript :void() ; " 

one! ick="javascript:showExplainText (this) ; return false;" gpmc_settingName="Di sable 
changing certificate settings" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/internet Explorer" gpmc_settingDescription="Prevents 
users from changing certificate settings in Internet Explorer. Certificates are used 
to verify the identity of software publishers. &lt ;br/><br/&gt ; if you enable 
this policy, the settings in the Certificates area on the Content tab in the 
internet Options dialog box appear dimmed. &lt ;br/&gt ;&lt ;br/&gt ;lf you disable this 
policy or do not configure it, users can import new certificates, remove approved 
publishers, and change settings for certificates that have already been 
accepted. <br/&gt ;&lt ;br/&qt; The &quot; Disable the Content page&quot ; 
policy (located in \user Conf iguration\Aaministrati ve Tempi ates\Windows 
Components\lnternet Explorer\lnternet Control Panel), which removes the Content tab 
from internet Explorer in Control Panel, takes precedence over this policy. If it is 
enabled, this policy is ignored. <br/><br/> Caution: If you enable this 
policy, users can still run the Certificate Manager import wizard oy double-clicking 
a software publishing certificate (.spc) file. This wizard enables users to import 
and configure settings for certificates from software publishers that haven't 
already been configured for internet Explorer." gpmc_supported="at least Internet 
Explorer v5 .01">Di sable changing certificate setti ngs</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Di sable 
changing default browser check" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/Internet Explorer" gpmc_settingDescription=" Prevents 
Microsoft internet Explorer from checking to see whether it is the default 
browser. <br/&gt ;&lt ;br/&gt ;lf you enable this policy, the Internet Explorer 
Should Check to See Whether It is the Default Browser check box on the Programs tab 
in the Internet options dialog box appears dimmed. <br/>&lt ;br/&gt ;lf you 
disable this policy or do not configure it, users can determine whether internet 
Explorer will check to see if it is the default browser, when internet Explorer 
performs this check, it prompts the user to specify which browser to use as the 
default.<br/><br/>This policy is intended for organizations that do not 
want users to determine which browser should be their 

default .Alt; br/>< br/> The &quot; Disable the Programs page&quot ; 
policy (located in \User Conf iguration\Administrative Tempi ates\windows 
Components\lnternet Explorer\lnternet Control Panel), which removes the Programs tab 
from Internet Explorer in Control Panel, takes precedence over this policy, if it is 
enabled, this policy is ignored." gpmc_supported="at least Internet Explorer 
v5.01">Disable changing default browser check</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ; " 

onclick^" javascript :showExplainText(this) ; return false;" gpmc_settingName="Di sable 
changing ratings settings" gpmc_settingPath="User Configuration/Administrative 
Templates/windows Components/Internet Explorer" gpmc_settingDescription="Prevents 
users from changing ratings that help control the type of internet content that can 
be viewed.<br/><Br/>lf you enable this policy, the settings in the 



Content Advisor area on the Content tab in the internet Options dialog box appear 
dimmed.<br/><br/>lf you disable this policy or do not configure it, 
users can change their ratings settings. <br/&gt ;<br/>The &quot; Disable 
the Ratings page&quot ; policy (located in \User Conf igu rati on\Admini strati ve 
Tempi ates\windows Components\Internet Explorer\lnternet Control Panel), which 
removes the Ratings tab from internet Explorer in control Panel, takes precedence 
over this policy, if it is enabled, this policy is ignored." gpmc_supported="at 
least Internet Explorer v5 .01 M >Disable changing ratings 
settings</a></tdxtd>Enabled</tdx/tr> 
<trxtdxa class= n explainlink M href="iavascript : void() ;" 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Di sable 
changing Temporary Internet files settings" gpmc_settingPath="User 
Configuration/Administrative Templates/Windows Components/Internet Explorer" 
gpmc_settingDescription="Prevents users from changing the browser cache settings, 
such as the location and amount of disk space to use for the Temporary internet 
Files folder.<br/&gt ;<br/&gt ;lf you enable this policy, the browser cache 
settings appear dimmed. These settings are found in the dialog box that appears when 
users click the General tab and then click the Settings button in the Internet 
options dialog box.&lt ;br/&gt ;&lt ;br/>lf you disable this policy or do not 
configure it, users can change their cache settings.<br/><br/>lf you set 
the &quot; Disable the General page&quot ; policy (located in \User 
Configuration\Admini strati ve Tempi ates\windows Components\lnternet Explorer\lnternet 
Control Panel), you do not need to set this policy, because the &quot; Disable 
the General page&quot ; policy removes the General tab from the interface." 
gpmc_supported="at least Internet Explorer v5.01">Disable changing Temporary 
Internet files settings</a></td><td>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="iavascript:showExplainText(this) ; return false;" gpmc_.settingName="Di sable 
external branding of Internet Explorer" gpmc__settingPath="User 
Configuration/Administrative Templates/Windows Components/Internet Explorer" 
gpmc_settingDescription="Prevents branding of Internet programs, such as 
customization of Internet Explorer and Outlook Express logos and title bars, by 
another party.&lt ;br/&gt ;&lt ;br/&gt ;lf you enable this policy, it prevents 
customization of the browser by another party, such as an Internet service provider 
or internet content provider .&lt ;br/><br/>lf you disable this policy or do 
not configure it, users could install customizations from another party-for example, 
when signing up for Internet services. <br/>&lt ;br/>This policy is intended 
for administrators who want to maintain a consistent browser across an 
organization." gpmc_supported="at least Internet Explorer v5 .01">Disable external 
branding of Internet Explorer</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this) ; return false;" gpmc__settingName="Di sable 
Internet Connection wizard" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows components/Internet Explorer" gpmc_settingDescription="Prevents 
users from running the Internet Connection Wizard. <br/&qt;<br/>lf you 
enable this policy, the Setup button on the Connections tab in the Internet Options 
dialog box appears dimmed. <br/><br/> Users will also be prevented from 
running the wizard by clicking the Connect to the Internet icon on the desktop or by 
clicking Start, pointing to Programs, pointing to Accessories, pointing to 
Communications, and then clicking Internet Connection 

wizard.<br/><br/>lf you disable this policy or do not configure it, 
users can change their connection settings by running the Internet Connection 
wizard. &lt ;br/&gt ;<br/&gt ;Note: This policy overlaps with the &quot ; Disable 
the Connections page&quot ; policy (located in \user Configuration\Admini strati ve 
Tempi ates\Windows Components\Internet Explorer\Internet Control Panel), which 
removes the Connections tab from the interface. Removing the Connections tab from 
the interface, however, does not prevent users from running the internet Connection 
Wizard from the desktop or the Start menu." gpmc_supported="at least Internet 
Explorer v5 .01">Di sable Internet Connection wizard</ax/tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript : void() ; " 

one! ick=" javascript rshowExplainText (this) ; return false;" qpmc_settingName="Di sable 
the Reset Web Settings feature" gpmc_settingPath="user Configuration/Administrative 
Templates/windows Components/internet Explorer" gpmc_settingDescription="Prevents 
users from restoring default settings for home and search 



pages. <br/><br/>if you enable this policy, the Reset Web settinas h..ttrm 
on the Programs tab in the Internet options dialog box appears Set tmgs button 

dimmed. &.t;br/><br/>lf you disable this policy or do not confiaure it 
users can restore the default settings for home and search conngure it, 

flor^fn i5 r ^*9l'*l t; S- / * 9t; T he v*5 ,n e:9 U0 t;Disable the Programs page&quot; policy 




Reset' web sitting's fe^tur^^ v:,ur>Di sable the" 15 

<tr><tdxa class= explainlink" href="iavascript:voidO ;" 

onclick= javascript:showExplainText(this); return false;" qpmc settinaName-"no nor 
allow Autocomplete to save passwords" gpmc_settingpath="usl? 9 * 

configuration/Administrative Templates/windows Components/internet ExDlorer" 

?rffrmroi; g £S C n^« 0n=, 'S iSableS aut °matic completion of user Samel and passwords 
in torms on web pages, and prevents users from beinq prompted to save m»»»w«u5 
passwords. <br/><br/>lf you enable this policy, the Use? Sames and 
di?n^C d rh.c/ 0 i: mS u a i: d Prompt Me t0 save Passwords check boxes appear^immtd To 
!^ se c 5 e 5t boxes, users open the internet options dialog box, click the 
H?5lh?J and - then c l lcl < the Autocomplete button. <br/>&Tt;br/&gt^f you 

Explorer au?omaJicallv ™!JnW°c flgUre 1t ' USe i; s can determine whether Interne? 
to^fpaslwo^ them 
page&quot; policy (located in \user Configuration\Admin strati^ 
Tempi ates\windows Components\internet Explorer\internet contro 1 PaneS") which 

Jver^his'oolicv 6 ^/^ Z° m Fernet ExSlorerNn Controfp'an'el , "Skis ' precedence 

over tnis policy, if it is enabled, this policy is iqnored." aomc suDDorted-"at 

least internet Explorer v5.01">Do not allow Autocomplete to s 9P mc - su PP ort ed- at 

passwords</ax/tdxtd>Enabled</tdx/tr> 

<tr><td><a cl ass="expl ai nl i nk" h ref =" iavascri pt : voi d() ; " 

Sc f s« using 

£uffinl£ Mana 9 e r-<br/><br/>ldentity Manager 9 enab?ef user^ create 9 

multiple accounts, such as e-mail accounts, on the same computer Each use? a 

unique identity, with a different password and different proqram' 

preferences. <br/><br/>lf you enable thifpSl inters will not be able 

to create new identities, manage existing identities, or switch identities The 

switch identity option will be removed from the File menu in Addrels 

Book <br/&qt;&Tt;br/>lf you disable this policy or do not configure it users 

5t nfS* "P and cnan 9e identities." gpmc_supported="at least internet Explorer 

V5.01 >ldentity Manager: Prevent uslrs from using sterner Explorer 

Identi ti es</ax/tdxtd>Enabl ed</tdx/tr> 

<tr><td><a class="explainlink" href="iavascript:void() ;" 

n?c]h?^% 3aVa uT pt;s, ? 0WE ^ plainTex t(this); return false;" gpmc settinqName="search- 

Selr^rSsisSn! U ^nn^hV 551 ' 5 ^ app P r ^mmid. &lt Si ^b^/^h^ 6 
ln?ernef &lt ■ b?/&i? ■ll? 0 h 1 r/^T? Ppears ln the Search bar to heTp'users selrch the 
t~lZ ; • l c,r / &at ,&lt,br/>lf you enable this policy, users cannot chanae their 

?atkf&U S brMn^!irh n 9IV S ^ h as S J tX i^ default P search engines for speci?ic 

C ' b r/ & gt;<br/>lf you disable this policy or do not confiaure it users 

is d«?S2pH t ^ 1 Lf ett i n 9 S . for tne Searc h Assistaht.<br/><br/&g?;?h s'polC 
is designed to help administrators maintain consistent settinqs for selrchina iVroll 
an organization." gpmc_supported="at least Internet Explorer vf 01">IItrch- DiSble 
Search customi zation</ax/tdxtd>Enabled</tdx/tr> cxpiorer v:, - ul >Se arch. Disable 
<t rxtdxa cl ass="expl ai nl ink" href ="iavascri pt : voi d O ■ " 

onclicks javascript:showExplainText(this); return false;" qpmc settinaName-"use 
Automatic Detection for dial-up connections" gpmc settinqpith="uler 
Configuration/Adm nistrative Tempi ates/windows Component! internet Explorer" 
9P m ^settingDescnption= "specifies that Automatic Detection wiV ] be used to 
a SJc? U fDvnam ^En^fr 1 "? 5 f ° f ^ sers t ; br/&gt ;&1 1 ; br/&gt ; Automatic Detection use* 
a DHCP (Dynamic Host Configuration Protocol) or DNS servir to customize the browser 



the first time it is started. <br/> <br/> If you enable this policy, users' 
dial-up settings will be configured by Automatic Detection.<br/>&lt:br/&qt-lf 
you disable this policy or do not configure it, dial-up settings Will not be 
configured by Automatic Detection, unless specified by the use?." gpmc supported="at 
least internet Explorer v5.01">Use Automatic Detection for dial-up " 
connections</a></tdxtd>Enabled</tdx/tr> 
</tabl e> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">windows 
Components/Internet Explorer/Browser menus</spanxa class="expando" 
href= # x/ax/div> 

ceUspacir-"0"> ainer ' ><diV c1ass= " he4i " ><tab1e class="info" cellpadding="0" 

<trxth scope="col ">Pol icy</thxth scope="col ">Setting</thx/tr> 
<trxtdxa cl ass="expl ai nl i nk" href="iavascri pt : voi d() ; " 

oncl ick=" javascript :showExplainText(this); return false;" gpmc settingName="Help 
menu: Remove 'For Netscape Users' menu option" gpmc_settingPath="user 
contigu rati on/Administ rati ve Templates/windows Components/Internet Explorer/Browser 
menus gpmc_settingDescnption="Prevents users from displaying tips for users who 
are switching from Netscape. <br/><br/> If you enable this policy, the For 
Netscape users command is removed from the Help menu.<br/><br/>if you 
disable this policy or do not configure it, users can display content about 
^nM C Vi??i, ,*\"f}l c ? pe „ hy clid ?ing the For Netscape Users command on the Help 
menu &lt,br/><br/> Caution: Enabling this policy does not remove the tips 
tor Netscape users from the Microsoft internet Explorer Help file " 
gpmc_supported="at least internet Explorer v5.01">Help menu: Remove 'For Netscape 
Users menu option</ax/tdxtd>Enabled</tdx/tr> y 
<t rxtdxa cl ass="expl ai nl i nk" h ref =" javascr i pt : voi d() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help 
menu: Remove 'send Feedback' menu option" gpmc_settingPath=*User 

configuration/Administrative Templates/Windows Components/Internet Explorer/Browser 

gP m c_settingDescription=" Prevents users from sending feedback to Microsoft by 
clicking the send Feedback command on the Help menu.<br/><br/&qt:lf vou 
enable this policy, the Send Feedback command is removed from the Help 

rl„ U £lV br l &9t ''V t : br / & 9S ;lf you dis ?ble this policy or do not configure it, users 
can fill out an internet form to provide feedback about Microsoft products." 
gpmc_supported= at least Internet Explorer v5.01">Help menu: Remove 'send Feedback' 
menu option</ax/tdxtd>Enabled</tdx/tr> 
<t rxtdxa cl ass="expl ai nl i nk" href=" iavascri pt : voi d() ; " 

onclick= javascript:showExplainText(this); return false;" gpmc_settingName="Help 
menu: Remove 'Tip of the Day' menu option" gpmc_settingF>ath="user 
confiquration/Admim strati ve Templates/windows Components/internet Explorer/Browser 
menus gpmc.setti ngDescn ption="Prevents users from viewing or changing the Tip of 

thU ™ii™ er K»Vn IKS 50 ? Interne * Explorer.<br/><br/>lf you enable 
this policy, the Tip of the Day command is removed from the Help 

menu.<br/><br/>lf you disable this policy or do not configure it, users 

can enable or disable the Tip of the Day, which^appears at the bottom of the 

n£ rhf r A a ?P mc - su PP° rted = at least internet Explorer v5.01">Help menu: Remove 'Tip 

of the Day menu option</ax/tdxtd>Enabled</tdx/tr> 

</tabl e> 

</divx/div><div class="he3"xspan class="sectionTitle" tabindex="0">windows 
Components/Microsoft Management Console</spanxa class="expando" href="#"x/ax/div> 
cellsplcing-"0% aine class="he4i"xtable class="info" cellpadding="0" 

<trxth scope="col">Policy</thxth scope="col ">Setting</thx/tr> 
<tr><tdxa class="explainlink" href=" javascript: voi d() ;" 

onclick= javascript :showExplainText(this); return false;" gpmc_settingName="Restrict 
the user from entering author mode" gpmc_settingPath="user 

configuration/Administrative Templates/windows Components/Microsoft Manaqement 
Console qpmc_settingDescription="Prevents users from entering author 
mode. <br/><Br/> This setting prevents users from opening the Microsoft 
Management Console (mmc) in author mode, explicitly opening console files in author 
mode, and opening any console files that open in author mode by 

default.<br/><br/>As a result, users cannot create console files or add 
or remove snap-ins. Also, because they cannot open author-mode console files they 



2S«3I\ rin ? •^^S^v&JMJS^^!?" 2000 >Rcstn ' ct thc user 

Prohibited.&l^br/^ sna P- in is 

it, all snap-ins are permitted exrpnr i-Knc- ihS hlS f?*? 1 !^ or do not configure 

snap-in setting in the folder if enabl pH 2r 1 s " ap ;1 ns y° u w ? nt to prohibit, if a 

does not appear .Slt-br/S-lTt-br/«S?"SJS. U e opens - ul but J he Prohibited snap-in 

c < e d 1 1 ^p:c a ?^^0°S> ta1 '" er " ><d " El -=' fe «^ ll-Sw^^-O" 
<trxth scope="col ">Pol icy</thxth scope="co1 ">setti rux/thx/m* 
o^riS?"- class = explainlink" href="iavasc?ipjTvSid(?-" 7 



Itln'fl t i^5ffii?i :b C / * 9t i 7 S 1s se £ tln 9 removes the Properties item from the File 
menu in Scheduled Tasks and from the context menu that appears when you riqht-click 
a task. As a result, users cannot change any properties of a task. They can only see 
the properties that appear in Detail view and in the task Y V 

preview. <br/><br/>This setting prevents users from viewing and chanqinq 
characteristics such as the program the task runs, its schedule detaiTs? idle ??me 9 
a nd P°wer management settings, and its security context. <br/> <t>r/> mtl ■ 
ft L^ t1:i ^- appears ln 2? e C0 5P uter Configuration and User Configuration folders 
If both settings are configured, the setting in computer Configuration takes 
^f^ nC $^° V ! r the s ? ttin 9 , n User configuration. <br/>&Tt;br/>Tip: This 
«$ Sw? affec !s fisting tasks only. To prevent users from changing tfie properties 
of newTy created tasks, use the &quot; Remove Advanced Menu&quot: settinq " 
gpmc_supported="At least Microsoft windows 2000">Hide Property seeing. 
Pages</a></tdxtd>Enabled</tdx/tr> 

<tr><tdxa class="explainlink" href="javascript:voidO ; " 

onclick= javascnpt:showExplainText(this); return false;" gpmc settinqName="Prevent 
Task Run or. End" gpmc_settingPath="user Configuration/AdministFative prevent 
Templates/Windows Components/Task scheduler" gpmc_settingDescription="Prevents users 
from starting and stopping tasks manual ly.<br/>&lt ;br/&gt -This setting remove! 
the Run and End Task items from the context menu that appears 9 when you right-click I 
task, as a result, users cannot start tasks manually or force tasks to end before 
thev are finished. <br/><br/>Note: This setting appears in the CompS^r 
se?£ ST^ln^T Configuration folders, if both set?in?s are configured? the 
setting in computer Configuration takes precedence over the settinq in User 

End n </l U </1d?<t^ l6aSt Ml ' CrOSOft Wind0WS 2000">Prevent Task Run or 

<tr><tdxa cl ass="expl ai nl i nk" href=" i avascr i pt : voi d () ; " 

onclick= :avascnpt:showExplainText(this); return false;" gpmc settinqName="Prohibit 
Browse" gpmc_settingpath= user configuration/AdministrativfTempl^ 
components/Task scheduler" gpmc_settTngDescription="Limits newly scheduled^ items 
on the user s start menu, and prevents the user from changing the scheduled orooram 

IZ trllVn 9 ^t 5 ^ 1 ^^/^; 41 ^^/^; 11115 settin 9 rem ° v " thS Browse bStton 9 from 
the schedule Task wizard and from the Task tab of the properties dialog box for a 

U u erS *£ a 2"2 t edl ^ the 1 &am P;q"ot;Run&quot; box or the &quot; Start 
in&quot; box that determine the program and path for a h.muul, atari 

task.<br/><br/>As a result, when users create a task, they must select a 
program from the list in the scheduled Task wizard, which displays only the ?asks 
that appear on the Start menu and its submenus, once a task is created; uslrs cannot 
ni an ^n. Pr ° gra V task run s.&1t;br/><br/>lmportant: This setting dSI 
ihl ZrhZTi " s ?rs f ronicreating a new task by pasting or dragging any program into 
the scheduled Tasks folder. To prevent this action, Gse the &quot ; Prohibit Dran- 

r±^ &amp ^ UOt V^ ettin §- &1t:br/& i^ This sett ng appears n thT J 

computer Configuration and user Configuration folders, if both settinqs are 

in '^ he se ^ tin 9 in computer Configuration takes precedence ovir the settinq 

BrowseVa^ leaSt Microsoft Wind °- 2000">Prohibit 9 

<trxtdxa class="explainlink" href="iavascript:voidO ;" 

onclick= javascript :showExplainText(this) ; return false;" gpmc settinqName=" Prohibit 
Sn2n^/?^i, g ^ e r^ gPath - ,User Configuration/Adminiltraiive Temp^tes/windSws 
Sw n n^ /Task u Schedl ^ ler gP mc -?ettingDescription="Prevents users from adding or 
removing tasks by moving or copying programs in the Scheduled Tasks 

TO flPf .A t'hr / X.rrt- • x.l t ■ kn /Jf.n-f- • tUi* ^ ^ j j* i_ -i _ _ .1 _ . 



Paste, and Paste 



^ tj a -1 Z \ /« J " r ^ , wyi olio in une ^cneuuiea ia; 

folder.<br/><br/>This setting disables the Cut, copy, 
rf?«hi« ° n the . context menu and the Edit menu in scheduled Tasks! it"also 

i ?j e f-. tne . drag-and-drop features of the scheduled Tasks 
Hrlnnn-;? I ^ gt:&1t;br/ ^ gt;As J a result - users cannot add new scheduled tasks by 
fSSl Iii-^r/^;.°^ C S P ^ n 2 a document or program into the Scheduled tasks 
SrhnS; r/& 9 t ; &1t ; br /&g t ; T h] 1 S. setting does not prevent users from using other 

ttHi ll^hr/lS^i^V/f^' and l1: u does no ^ P revent users from deleting 9 

25 i." &lt i br t* gt;&1 ^ ;br ^ ;N0te: Thls setting appears in the computer configuration 

and user Configuration folders, if both settings are configured, the settinq in 

Computer Configuration takes precedence over the setting in User Configuration " 

gpmc_supported="At least Microsoft windows 2000">Prohib?t Drag-and- 9 

Drop</ax/tdxtd>Enabled</tdx/tr> 



<tr><tdxa cl ass="expl ai nl i nk" href="iavascri pt : void() ; " 

onclick^-'javascriptishowExplainTextCthis); return false;" gpmc_settingName=" Prohibit 
New Task Creation 5 ' gpmc_settingpath="user Configuration/Administrative 
Templates/Windows Components/Task Scheduler" gpmc_settingDescription="Prevents users 
from creating new tasks <br/&gt ; Alt; br/> This setting removes the Add Scheduled 
Task item that starts the New Task Wizard. Also, the system does not respond when 
users try to move, paste, or drag programs or documents into the scheduled Tasks 
folder.<br/><br/&qt;Note: This setting appears in the Computer 
Configuration and User configuration folders, if both settings are configured, the 
setting in computer Configuration takes precedence over the setting in User 
conf igurati on. <br/><br/> important: This setting does not prevent 
administrators of a computer from using At.exe to create new tasks or prevent 
administrators from submitting tasks from remote computers." gpmc supported="At 
least Microsoft Windows 2000">Prohi bit New Task ^ 
Creation</a></tdxtd>Enabled</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prohibit 
Task Deletion gpmc_settingPath="user Configuration/Administrative Templates/Windows 
Components/Task Scheduler gpmc_settingDescription="Prevents users from deleting 
tasks from the Scheduled Tasks folder. <br/><br/>This setting remove! the 
Delete command from the Edit menu in the Scheduled Tasks folder and from the menu 
that appears when you right-click a task. Also, the system does not respond when 
users try to cut or drag a task from the scheduled Tasks 
folder. <br/><br/>Note: This setting appears in the computer 
Configuration and User Configuration folders. If both settings are configured the 
setting in Computer Configuration takes precedence over the setting in User 
Configuration. <br/><br/> Important: This setting does not prevent 
administrators of a computer from using At.exe to delete tasks." gpmc supported="At 
least Microsoft Windows 2000">Prohibit Task Deletion</ax/tdxtd>EnabTed<7tdx/tr> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">windows 
Components/Windows Explorer</spanxa class="expando" href="#"x/ax/div> 
<div class= container w xdiv cl ass="he4i "xtable class="info" cellpadding="0" 
cellspacing= 0 > M 
<trxth scope="col ">Pol i cy</thxth scope="col ">Setti ng</thx/tr> 
<trxtdxa class="explainlink" href="iavascript: void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow 
only per user or approved shell extensions" gpmc_settingPath="user 
Configuration/Administrative Templates/Windows Components/Windows Explorer" 
gpmc_settingDescription="This setting is designed to ensure that shell extensions 
can operate on a per-user basis, if you enable this setting, windows is directed to 
only run those shell extensions that have either been approved by an administrator 
or that will not impact other users of the machine.<br/><br/>A shell 
extension only runs if there is an entry in at least one of the following locations 
in registry.<br/><br/>For shell extensions that have been approved by 
the administrator and are available to all users of the computer, there must be an 
entry at HKEY_LOCAL_MACHlNE\Software\Microsoft\windows\Currentversion\shell 
Extensions\Approved.<br/><br/>For shell extensions to run on a per-user 
basis, there must be an entry at K 

HKEY_cURRENT_uSER\Software\Microsoft\windows\currentversion\shell 
Extensions\Approved." gpmc_supported="At least Microsoft windows 2000">Allow onlv 
per user or approved shell extensions</ax/tdxtd>Enabled</tdx/tr> 
<tr><tdxa class="explainlink" href="iavascript:void() ; " 

°"^,2^= iavascri>t:showExplainText(tnis); return false;" gpmc_settingName="Do not 
request alternate credentials" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/Windows Explorer" gpmc_settingDescription="Prevents 
users from submitting alternate logon credentials to install a 

program. <br/><br/> This setting suppresses the &quot; Install Program 
As other user&quot; dialog box for local and network installations. This dialog 
box, which prompts the current user for the user name and password of an 
administrator, appears when users who are not administrators try to install proqrams 
locally on their computers. This setting allows administrators who have logged on as 
regular users to install programs without logging off and logging on again using 
their administrator credent! als.<br/><br/> Many programs can be installed 



only by an administrator. If you enable this setting and a user does not have 
?"!™l en .!- P ^™}?!2 0nst0 , in ?tan a prograin, the installation continues with the 



— - • — . ^ <"^»i i a piuyioin, lmc i risucti lation continues with the 

current user's logon credentials. As a result, the installation might fail , or it 
might complete but not include all features. Or, it might appear to complete 
successfully, but the installed program might not operate comp.exe 
correctly. <br/><br/>lf you disable this setting or do not configure it 
the &quot; install Program As other User&quot; dialog box appears whenever 
users install programs locally on the computer .<br/>&Tt;br/>Iy default 
» nlL^u "S* P rom e ted f?r alternate logon credentials when installing programs 'from 
a network share. If enabled, this setting overrides the &quot; Request 
credentials for network installations&quot; setting." qpmc suoDorted="At leasr 
Microsoft Windows 2000">Do not request alternate gpmc.supporteo- At least 

credenti al s</a></tdxtd>Enabl ed</tdx/tr> 
<tr><tdxa cl ass="expl ai nl i nk" href ="iavascri pt : voi d () ; " 

^kf 11 J a Y ascn 'P t: showExplainText(tnis); return false;" gpmc_settingName="Hides 
the Manage item on the windows Explorer context menu" gpmcIsettingPatlW'user 
Configuration/Administrative Templates/windows Components/Windows Explorer" 
gpmc_settingDescription="Removes the Manage item from the windows Explorer context 
menu. This context menu appears when you right-click Windows Explorer or My 
Computer <br/><br/>The Manage item opens Computer Management 
(Compmgmt.msc), a console tool that includes many of the primary windows 2000 
administrative tools, such as Event viewer, Device Manager, and Disk Management You 
must be an administrator to use many of the features of these management, you 

S«I S f?I« : ^ /& i3 ;& ] t;br/& 9 t;This settin 9 doe s not remove the Computer Management 
item from the Start menu (start, Programs, Administrative Tools, Computer 
Management), nor does it prevent users from using other methods to start Computer 
Management. &lt:br/&ot:&lt:brMni--TTn- m hiHo =,iT " _ rL_ , - om P uier 




j £- t" — " v ^ wniuuwa ^niaes trie h 

Windows Explorer context menu</a></tdxtd>Enabled</tdx/tr> 
<tr><tdxa cl ass="expl ai nl i nk" href =" i avascri pt : voi d() ; " 
onclick= javascript:showExplainText(tnis); return false;" gpmc_settingName="No 
&quot; Entire Network&quot; in My Network Places" gpmc_settingPath="User 
conn guration/Admim strati ve Templates/windows Components/windows Explorer" 
?^T S ^ ttl • gD ? scn ?^ ion= "5 e,noves a11 computers outside of the user's workgroup or 

Maces K-hr/inr-Il^hr/Lr^r^ reso " rces J n ^dows Explorer and My Network 
Piaces.&.t,br/><br/>if you enable this setting, the system removes the 
liV/J Ne ]; w ° rk 0 PJ 10 " and the """cons representing networked computers from My Network 
Places and from the browser associated with the Map Network Drive 
option.<br/><br/>This setting does not prevent users from viewing or 
connecting to computers in their workgroup or domain, it also does not prevent users 
from connecting to remote computers by other commonly used methods, such as bv 

^ 1 5?. t t e /f h 5 r f- I na H ie / 1 0 n the Run dia1 °g box or the Ma P Network Drive dialog 

" f ^ i r/&gt ; &1 t ; br/&gn ; To remove computers in the user's workgroup or domain from 
lists of network resources, use the &quot;No &quot; Computers Near 
Me&quot; in My Network Places&quot; setting. <br/><br/>Note: It 
is a requirement for third-party applications with windows 2000 or later 

?nnS»So a InM^^ ^ her t 1° t ! 1 i s sett l n 9-" gpmc_supported="At least Microsoft windows 
2000 >No " Entire Network" in My Network 



Pi aces</ax/tdxtd>Enabl ed</tdx/t r> 
<tr><tdxa cl ass="expl ai nl i nk" href="iavascript : void() ; " 

onclick= javascnpt:showExplainText(this); return false;" gpmc settingName="Remove 
Hardware tab' gpmc_settingPath="User Confi gu rati on/AdministratTve Tempi at^s/windows 
Sh P ^"h^K d ^ explorer" gp«c^ettingDSscriptibn-»Re«oves the HaKiSe 
ifSkJ a br / & 9 t i &lt i l br />This setting removes the Hardware tab from Mouse, 
Keyboard, and Sounds and Audio Devices in control Panel, it also removes the 
2r^ ar6 ^ ab fr T } h t P r °P ertl 'es dialog box for all local drives, including hard 
drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the 
Hardware tab to view or change the device list or device properties, or use the 
Troubleshoot button to resolve problems with the device." gpmc supported="At least 
Microsoft windows 2000">Remove Hardware tab</ax/tdxtd>Enabled</td><Ar> 

</divx/div><div class="he3"xspan class="sectionTitle" tabindex="0">Windows 
Components/windows Install er</spanxa class="expando" href="#"x/a></div> 



«llsplcingI"0% ainer '' ><diV class =" h e4i"><table class="info" cellpadding="0" 

</thx/tr> 




? Ja » ^ 
aSmr^^nnn^ dm - n Z^ tra ^ ve Tempi ates/wTndows Components/windows installer" 

Kii*!" br^ ProgrS'fSm'remoIable 




found, you might be able to resolve this issue L ^r- ' IT* ""j??* «™°t b 

KIN. ~ II 111 _ . . • . 



^ SI C ?£ e= c ? 1 >setting</thxth scope="col ">State</thx/tr> 
<t rxtd>Software\Pol ^ ci es\Mi crosof t\wi ndows\Network ™ ></i:r> 

^nections\NC3howsharedAccessui</td><td>0</tdx/tr> 

</divx/divx/divx/div> 
</bodyx/html> 
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<?xml version="1.0" encoding="utf-16" ?> 

<GPO xmlns:xsd= ^ http://www.w3.org/2001/XMLSchema ,, 

xmlns:xsi= M http://www.w3.org/2001/XMLSchema-instance" 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings"> 

- < Identifiers 

<Identifier xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</Domain 

</Identifier> 

<Name>LightlyManaged User Settings</Name> 

<CreatedTime>2003-04-10T21:28:49.0000000-07:00</CreatedTime> 

<ModifiedTime>2003-04-10T21:30:35.0000000-07:00</ModifiedTime> 

<ReadTime>2003-06-27T23:34:20.1912576-07:00</ReadTime> 

- <SecurityDescriptor> 

<SDDL 

xmlns= H http://www.microsoft.com/GroupPolicy/Types/Security M >0:DAG:DUD-PA3 

(A;CI;SWDTLO;;;DA)(A;CI;SWDTLO;;;EA)(A;;SWDTLO;;;DA) 

(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO) 

(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LO;;;AU) 

(A;CI;LCRPLORC;;;ED)(A;CI;LCRPRC;;;AU) 

(A;CI;CCDCLCRPWPSDRCWDWO;;;DA) 

(A;CI;CCDCLCRPWPSDRCWDWO;;;EA)(A;CI;CCDCLCRPWPSDRCWDWO;;;S- 

1-5-21-3236881260-3653063036-2003513472-1123) 

(OA;CI;CR;edacfd8f-ffb3-lldl-b41d-00a0c968f939;;AU)S:AI 

(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-lldl-b603-0000f80367cl;WD) 

(OU;CIIOIDSA;WP;f30e3bbe-9ff0-lldl-b603-0000f80367cl;bf967aa5- 

0de6-lld0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- 

Ildl-b603-0000f80367cl;bf967aa5-0de6-lld0-a285- 

00aa003049e2;WD)</SDDL> 

- <Owner xmlns= M http:// www. microsoft.com/GroupPolicy/Types/Security"> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types M >S-l-5-21- 

3236881260-3653063036-2003513472-512</SID> 
<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types M >GPMCDEMO\Domain 

Admins</Name> 

</0wner> 

- <Group xmlns="http://www. microsoft.com/GroupPolicy/Types/Security"> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-l-5-21- 

3236881260-3653063036-2003513472-513</SID> 

<Name 

xmlns = n http://www.microsoft.com/GroupPolicy/Types n >GPMCDEMO\Domain 

Users</Name> 

</Group> 

<PermissionsPresent 

xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">true</Permissior 

- Permissions 

xmlns="http://www. microsoft.com/GroupPolicy/Types/Security"> 

<InheritsFromParent>false</InheritsFromParent> 
- <TrusteePermissions> 
- <Trustee> 

<SID xmlns="http://www.microsoft.c m/GroupPolicy/Types">S- 

l-5-21-3236881260-3653063036-2003513472-519</SID> 

<Name 
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xmlns="http://www.microsoft.com/Gr upPolicy/Types">GPMCDEMO\EnterDrise 

Admins</Name> 

</Trustee> 

- <Type xsi:type="PermissionType"> 

<PermissionType>Allow</PermissionType> 
</Type> 

<Inherited>false</Inherited> 

- <Applicability> 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>false</ToDescendantObjects> 

<ToDescendantContainers>true</ToDescendantContainers> 

<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum>Edit / delete, modify 

security</GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 
- <TrusteePermissions> 

- <Trustee> 

<SID xmlns= M http://www.microsoft.com/GroupPolicy/Types M >S- 

l-5-21-3236881260-3653063036-2003513472-1123</SID> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">GPMCDEMO\De^ 
Admins</Name> y 

</Trustee> 

- <Type xshtype^ 'PermissionType' > 

<PermissionType>Allow</PermissionType> 
</Type> 

<Inherited>false</Inherited> 

- <Applicability> 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>false</ToDescendantObjects> 

<ToDescendantContainers>true</ToDescendantContainers> 

<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum>Edit, delete, modify 

security</GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 
<TrusteePermissions> 

- <Trustee> 

<SID xmlns= M http://www.microsoft.com/GroupPolicy/TvDes ,, >S- 
l-5-9</SID> 

<Name 

xmlns="http://www. microsoft.com/Gr upPolicy/Types M >NT 
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS</Name> 

</Trustee> 

- <Type xsi:type="PermissionType "> 

<PermissionType>Allow</PermissionType> 
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</Type> 

<Inherited>false</Inherited> 

- <Applicability> 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>faIse</ToDescendantObjects> 
<ToDescendantContainers>true</ToDescendantContainers> 
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum>Read</GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 

- <TrusteePermissions> 

- <Trustee> 

<SID xmlns=' http://www.microsoft.com/GroupPolicy/Types M >S- 
l-5-18</SID> 

<Name 

xmlns= n http://www.microsoft.com/GroupPolicy/Types H >NT 
AUTHORITY\SYSTEM</Name> 

</Trustee> 

- <Type xsi:type="PermissionType"> 

<PermissionType>Allow</PermissionType> 
</Type> 

<Inherited>false</Inherited> 

- < Applicability > 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>false</ToDescendantObjects> 
<ToDescendantContainers>true</ToDescendantContainers> 
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum>Edit / delete, modify 
security</GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 

- <TrusteePermissions> 

- <Trustee> 

<SID xmlns= 'http://www.microsoft.com/GroupPolicy/Types M >S- 
l-5-21-3236881260-3653063036-2003513472-512</SID> 

<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types">GPMCDEMO 
Admins</Name> 

</Trustee> 

- <Type xsi:type= H PermissionType M > 

<PermissionType>Allow</PermissionType> 
</Type> 

<Inherited>false</Inherited> 

- <Applicability> 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>false</ToDescendantObjects> 
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<ToDescendantContainers>true</ToDescendantContainers> 
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum>Edit, delete, modify 
security</GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 
- <TrusteePermissions> 

- <Trustee> 

<SID xmlns="http:// www. microsoft.com/GroupPolicy/Types" >S- 
l-5-ll</SID> 

<Name 

xmlns="http:// www.microsoft.com/GroupPolicy/Types" >NT 
AUTHORITY\Authenticated Users</Name> 

</Trustee> 

- <Type xsi:type="PermissionType"> 

< Perm issionType> Allow </PermissionType> 
</Type> 

< Inherited >false</Inherited> 

- < Applicability > 

<ToSelf>true</ToSelf> 

<ToDescendantObjects>false</ToDescendantObjects> 
<ToDescendantContainers>true</ToDescendantContainers> 
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly> 
</Applicability> 

- <Standard> 

<GPOGroupedAccessEnum> Apply Group 
Policy </GPOGroupedAccessEnum> 
</Standard> 

<AccessMask>0</AccessMask> 
</TrusteePermissions> 
</Permissions> 
<AuditingPresent 

xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">false</AuditingP 

</SecurityDescriptor> 

<FilterDataAvailable>true</FilterDataAvailable> 

- <Computer> 

<VersionDirectory>K/VersionDirectory> 
<VersionSysvol>l</VersionSysvol> 

< Enabled >false</Enabled> 
</Computer> 

- <User> 

<VersionDirectory>l</VersionDirectory> 

< VersionSysvol> K/VersionSysvol> 

< Enabled >true</Enabled> 
- <ExtensionData> 

<Extension 

xmlns:ql="http://www.micr soft.com/GroupP licy/Settings/FolderRedirection" 
xsi:type="ql:FolderRedirectionSettings" /> 
<Name>Folder Redirect! n</Name> 
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</ExtensionData> 
- <ExtensionData> 
- <Extension 

xmlns:q2="http://www. micros ft.c m/Gr upPoIicy/Settings/Registry" 
xs i : type = M q2: RegistrySetti ngs M > 

- <q2:Policy> 

<q2:Name>Show only specified C ntrol Panel applets</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Hides all Control Panel items and folders except 
those specified in this setting. \n\nThis setting removes all 
Control Panel items (such as Network) and folders (such as 
Fonts) from the Control Panel window and the Start menu. It 
removes Control Panel items you have added to your system, 
as well the Control Panel items included in Windows 2000 and 
Windows XP Professional. The only items displayed in Control 
Panel are those you specify in this setting. \n\nTo display a 
Control Panel item, type the file name of the item, such as 
Ncpa.cpl (for Network). To display a folder, type the folder 
name, such as Fonts. \n\nThis setting affects the Start menu 
and Control Panel window only. It does not prevent users from 
running any Control Panel items. \n\nAlso, see the "Remove 
Display in Control Panel" setting in User 
Configuration\Administrative Templates\Control 
Panel\Display.\n\nIf both the "Hide specified Control Panel 
applets" setting and the "Show only specified Control Panel 
applets" setting are enabled, the "Show only specified Control 
Panel applets" setting is ignored.\n\nTip: To find the file name 
of a Control Panel item, search for files with the .cpl file name 
extension in the %Systemroot%\System32 
directory.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Control Panel </q2: Category > 
- <q2:ListBox> 

<q2:Name>List of allowed Control Panel applets</q2:Name> 
<q2:State>Enabled</q2:State> 
<q2:ExplicitValue>false</q2:ExplicitValue> 
<q2:Additive>false</q2:Additive> 
<q2:ValuePrefix/> 
- <q2:Value> 

- <q2:Element> 

<q2 : Data > access, cpl </q2 : Data > 
</q2:Element> 

- <q2:Element> 

<q2 : Data >appwiz. cpl </q2 : Data > 
</q2:Element> 

- <q2:Element> 

< q2 : Data > desk.cpl </q2 : Data > 
</q2:Element> 

- <q2:Element> 

<q2: Data > main. cpl </q2: Data > 
</q2:Element> 
</q2:Value> 
</q2:ListBox> 
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- <q2:Text> 

<q2:Name>To create a list of allowed Control Panel applets, 
click Show,</q2:Name> 
</q2:Text> 

- <q2:Text> 

<q2:Name>then Add, and enter the C ntrol Panel file name 
(ends with .cpl)</q2:Name> 
</q2:Text> 

- <q2:Text> 

<q2:Name>or the name displayed under that item in the 
Control Panel. </q2:Name> 
</q2:Text> 

- <q2:Text> 

<q2:Name>(e.g., desk.cpl, powercfg.cpl, Printers)</q2:Name> 

</q2:Text> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hide Add/Remove Windows Components 

page</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Removes the Add/Remove Windows Components 
button from the Add or Remove Programs bar. As a result, 
users cannot view or change the associated page.\n\nThe 
Add/ Remove Windows Components button lets users configure 
installed services and use the Windows Component Wizard to 
add, remove, and configure components of Windows from the 
installation files. \n\nlf you disable this setting or do not 
configure it, the Add/ Remove Windows Components button is 
available to all users. \n\nThis setting does not prevent users 
from using other tools and methods to configure services or 
add or remove program components. However, this setting 
blocks user access to the Windows Component 
Wizard.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Control Panel/Add or Remove 
Programs</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hide the "Add a program from CD-ROM or floppy disk" 

option</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Removes the "Add a program from CD-ROM or floppy 
disk" section from the Add New Programs page. This prevents 
users from using Add or Remove Programs to install programs 
from removable media. \n\nlf you disable this setting or do not 
configure it, the "Add a program from CD-ROM or floppy disk" 
option is available to all users. \n\nThis setting does not 
prevent users from using other tools and methods to add or 
remove program components. \n\nNote: If the "Hide Add New 
Programs page" setting is enabled, this setting is ignored. Also, 
if the "Prevent rem vable media source for any install" setting 
(located in User Configuration \Administrative 
Templates\Windows Components\Windows Installer) is 
enabled, users cannot add programs from removable media, 
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regardless of this setting. </q2:Explain> 
<q2 :Supported> At least Micr s ft Windows 2000</q2:Supported> 
<q2:Category>Control Panel/Add or Remove 

Programs</q2:Category> 

</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hide the "Add programs from Microsoft" 

option</q2:Name> 
<q2 : State> Enabled</q2 : State> 

<q2: Explain > Removes the "Add programs from Microsoft" section 
from the Add New Programs page. This setting prevents users 
from using Add or Remove Programs to connect to Windows 
Update. \n\nlf you disable this setting or do not configure it, 
"Add programs from Microsoft" is available to all 
users. \n\nThis setting does not prevent users from using other 
tools and methods to connect to Windows Update. \n\nNote: If 
the "Hide Add New Programs page" setting is enabled, this 
setting is ignored. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Control Panel/Add or Remove 
Programs</q2 :Category > 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Specify default category for Add New 

Programs</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Specifies the category of programs that appears 
when users open the "Add New Programs" page.\n\nlf you 
enable this setting, only the programs in the category you 
specify are displayed when the "Add New Programs" page 
opens. Users can use the Category box on the "Add New 
Programs" page to display programs in other 
categories. \n\nTo use this setting, type the name of a category 
in the Category box for this setting. You must enter a category 
that is already defined in Add or Remove Programs. To define a 
category, use Software Installation. \n\nlf you disable this 
setting or do not configure it, all programs (Category: All) are 
displayed when the "Add New Programs" page opens.\n\nYou 
can use this setting to direct users to the programs they are 
most likely to need.\n\nNote: This setting is ignored if either 
the "Remove Add or Remove Programs" setting or the "Hide 
Add New Programs page" setting is enabled. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Control Panel/Add or Remove 
Programs</q2:Category> 
- <q2:EditText> 

<q2 : Name>Category : </q2 : Name> 
<q2 : State> Enabled </q2 : State > 
<q2:Value>Custom Applications</q2:Value> 

</q2:EditText> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hide Settings tab</q2:Name> 
<q2:State>Enabled</q2:State> 
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<q2: Explain > Removes the Settings tab from Display in Control 
Panel. \n\nThis setting prevents users from using Control Panel 
to add, configure, or change the display settings on the 
computer. </q2 : Explain > 

<q2:Supported>At least Micr soft Windows 2000</q2:Supported> 

<q2:Category>Control Panel/Display</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Screen Saver</q2:Name> 
<q2 : State > Enabled</q2 : State > 

<q2:Explain>Enables desktop screen savers. \n\nlf you disable 
this setting, screen savers do not run. Also, this setting 
disables the Screen Saver section of the Screen Saver tab in 
Display in Control Panel. As a result, users cannot change the 
screen saver options. \n\nlf you do not configure it, this 
setting has no effect on the system. \n\nlf you enable it, a 
screen saver runs, provided the following two conditions hold: 
First, a valid Screensaver on the client is specified through the 
"Screensaver executable name" setting or through Control 
Panel on the client computer. Second, the Screensaver timeout 
is set to a nonzero value through the setting or Control 
Panel. \n\nAlso, see the "Hide Screen Saver tab" 
setting. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000 Service Pack 
K/q2:Supported> 

<q2:Categon/>Control Panel/ Display </q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Screen Saver executable name</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2: Explain >Specifies the screen saver for the user's 
desktop. \n\nlf you enable this setting, the system displays the 
specified screen saver on the user's desktop. Also, this setting 
disables the drop-down list of screen savers on the Screen 
Saver tab in Display in Control Panel, which prevents users 
from changing the screen saver. \n\nlf you disable this setting 
or do not configure it, users can select any screen saver. \n\nlf 
you enable this setting, type the name of the file that contains 
the screen saver, including the .scr file name extension. If the 
screen saver file is not in the %Systemroot%\System32 
directory, type the fully qualified path to the file.\n\nlf the 
specified screen saver is not installed on a computer to which 
this setting applies, the setting is ignored. \n\nNote: This 
setting can be superseded by the "Screen Saver" setting. If the 
"Screen Saver" setting is disabled, this setting is ignored, and 
screen savers do not run.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000 Service Pack 
l</q2:Supported> 

<q2:Category> Control Panel/ Display</q2:Category> 
- <q2:EditText> 

<q2:Name>Screen Saver executable name</q2:Name> 

<q2:State>Enabled</q2:State> 

<q2:Value>scrnsave.scr</q2:Value> 

</q2:EditText> 
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</q2: Policy > 

- <q2: Policy > 

<q2:Name>Do not add shares of recently opened documents to 

My Netw rk Places</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Rem te shared f Iders are not added to My Network 
Places whenever you pen a d cument in the shared 
folder.\n\nlf you disable this setting or do not configure it, 
when you open a document in a remote shared folder, the 
system adds a connection to the shared folder to My Network 
Places. \n\nlf you enable this setting, shared folders are not 
added to My Network Places automatically when you open a 
document in the shared folder.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2 : Category > Desktop</q2 : Category > 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Prevent adding, dragging, dropping and closing the 

Taskbar's toolbars</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from manipulating desktop 
toolbars. \n\nlf you enable this setting, users cannot add or 
remove toolbars from the desktop. Also, users cannot drag 
toolbars on to or off of docked toolbars. \n\nNote: If users 
have added or removed toolbars, this setting prevents them 
from restoring the default configuration. \n\nTip: To view the 
toolbars that can be added to the desktop, right-click a docked 
toolbar (such as the taskbar beside the Start button), and point 
to "Toolbars." \n\nAlso, see the "Prohibit adjusting desktop 
toolbars" setting.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Desktop</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Prohibit user from changing My Documents 

path</q2:Name> 
<q2 : State> Enabled</q2 : State> 

<q2:Explain>Prevents users from changing the path to the My 
Documents folder. \n\nBy default, a user can change the 
location of the My Documents folder by typing a new path in 
the Target box of the My Documents Properties dialog 
box.\n\nIf you enable this setting, users are unable to type a 
new location in the Target box.</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2: Category >Desktop</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>Prohibit access to the Advanced Settings item on the 

Advanced menu</q2:Name> 
<q2 : State> Enabled</q2 :State> 

<q2:Explain>Determines whether the Advanced Settings item on 
the Advanced menu in Network C nnections is enabled for 
administrators. \n\nThe Advanced Settings item lets users view 
and change bindings and view and change the order in which 
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the computer accesses connections, network providers, and print 
providers. \n\nlf you enable this setting (and enable the 
"Enable Netw rk Connections settings for Administrators" 
setting), the Advanced Settings item is disabled for 
administrators. \n\nlmp rtant: If the "Enable Network 
Connect! ns settings for Administrat rs" is disabled or not 
configured, this setting will not apply to administrat rs on 
post-Windows 2000 computers. \n\nlf you disable this setting 
or do not configure it, the Advanced Settings item is enabled 
for administrators. \n\nNote: Nonadministrators are already 
prohibited from accessing the Advanced Settings dialog box, 
regardless of this setting. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000 Service Pack 
K/q2:Supported> 

<q2:Category> Network/ Network Connections</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name> Prevent use of Offline Files folder</q2:Name> 
<q2 : State> Enabled</q2 : State> 

<q2:Explain>Disables the Offline Files folder.\n\nThis setting 
disables the "View Files" button on the Offline Files tab. As a 
result, users cannot use the Offline Files folder to view or open 
copies of network files stored on their computer. Also, they 
cannot use the folder to view characteristics of offline files, 
such as their server status, type, or location. \n\nThis setting 
does not prevent users from working offline or from saving 
local copies of files available offline. Also, it does not prevent 
them from using other programs, such as Windows Explorer, to 
view their offline files.\n\nThis setting appears in the 
Computer Configuration and User Configuration folders. If both 
settings are configured, the setting in Computer Configuration 
takes precedence over the setting in User 
Configuration. \n\nTip: To view the Offline Files Folder, in 
Windows Explorer, on the Tools menu, click Folder Options, 
click the Offline Files tab, and then click "View 
Files."</q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Network/Offline Files</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Prohibit user configuration of Offline Files</q2:Name> 
<q2 : State> Enabled</q2 : State> 

<q2:Explain>Prevents users from enabling, disabling, or changing 
the configuration of Offline Files. \n\nThis setting removes the 
Offline Files tab from the Folder Options dialog box. It also 
removes the Settings item from the Offline Files context menu 
and disables the Settings button on the Offline Files Status 
dialog box. As a result, users cannot view or change the 
options on the Offline Files tab or Offline Files dialog 
box.\n\nThis is a comprehensive setting that locks down the 
configuration y u establish by using other settings in this 
folder. \n\nThis setting appears in the Computer Configuration 
and User Configuration f Iders. If b th settings are configured, 
the setting in Computer C nfiguration takes precedence over 
the setting in User Configuration. \n\nTip: This setting provides 



Page 11 of 29 

a quick method f r locking d wn the default settings f r Offline 
Files. To accept the defaults, just enable this setting. You do 
n t have to disable any ther settings in this 
folder. </q2:Exp!ain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category> Network/Offline Files</q2:Category> 
- <q2:Text> 

<q2:Name> Prevents users from changing any cache 
configuration settings. </q2:Name> 
</q2:Text> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Remove 'Make Available Offline , </q2:Name> 
<q2:State>Enabled</q2:State> 

<q2: Explain > Prevents users from making network files and 
folders available offline. \n\nThis setting removes the "Make 
Available Offline" option from the File menu and from all 
context menus in Windows Explorer. As a result, users cannot 
designate files to be saved on their computer for offline 
use.\n\nHowever, this setting does not prevent the system 
from saving local copies of files that reside on network shares 
designated for automatic caching. \n\nThis setting appears in 
the Computer Configuration and User Configuration folders. If 
both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Network/Offline Files</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name> Synchronize all offline files before logging 

off</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Determines whether offline files are fully 
synchronized when users log off.\n\nThis setting also disables 
the "Synchronize all offline files before logging off" option on 
the Offline Files tab. This prevents users from trying to change 
the option while a setting controls it.\n\nlf you enable this 
setting, offline files are fully synchronized. Full synchronization 
ensures that offline files are complete and current.\n\nlf you 
disable this setting, the system only performs a quick 
synchronization. Quick synchronization ensures that files are 
complete, but does not ensure that they are current.\n\nlf you 
do not configure this setting, the system performs a quick 
synchronization by default, but users can change this 
option. \n\nThis setting appears in the Computer Configuration 
and User Configuration folders. If both settings are configured, 
the setting in Computer Configuration takes precedence over 
the setting in User Configuration. \n\nTip: To change the 
synchronization method without changing a setting, in 
Windows Explorer, on the T ols menu, click Folder Options, 
click the Offline Files tab, and then select the "Synchronize all 
ffline files before logging off" option. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
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<q2:Category> Network/ Offline Files</q2:Category> 
</q2: Policy > 

- <q2: Policy > 

<q2:Name>Add Logoff t the Start Menu</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Adds the "Log Off <username>" item to the Start 
menu and prevents users from removing it.\n\nlf you enable 
this setting, the Log Off <username> item appears in the Start 
menu. This setting also removes the Display Logoff item from 
Start Menu Options. As a result, users cannot remove the Log 
Off <username> item from the Start Menu.\n\nlf you disable 
this setting or do not configure it, users can use the Display 
Logoff item to add and remove the Log Off item.\n\nThis 
setting affects the Start menu only. It does not affect the Log 
Off item on the Windows Security dialog box that appears 
when you press Ctrl+Alt+Del.\n\nNote: To add or remove the 
Log Off item on a computer, click Start, click Settings, click 
Taskbar and Start Menu, click the Start Menu Options tab, and 
then, in the Start Menu Settings box, click Display 
Logoff. \n\nAlso, see "Remove Logoff" in User 
Configuration \Administrative 
Templates\System\Logon/ Logoff. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Start Menu and Taskbar</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name> Force classic Start Menu</q2:Name> 
<q2 : State> Enabled</q2 : State> 

<q2: Explain >This setting effects the presentation of the Start 
menu.\n\nThe classic Start menu in Windows 2000 
Professional allows users to begin common tasks, while the 
new Start menu consolidates common items onto one menu. 
When the classic Start menu is used, the following icons are 
placed on the desktop: My Documents, My Pictures, My Music, 
My Computer, and My Network Places. The new Start menu 
starts them directly. \n\nlf you enable this setting, the Start 
menu displays the classic Start menu in the Windows 2000 
style and displays the standard desktop icons. \n\nlf you 
disable this setting, the Start menu only displays in the new 
style, meaning the desktop icons are now on the Start 
page.\n\nlf you do not configure this setting, the default is the 
new style, and the user can change the view.</q2:Explain> 

<q2:Supported>At least Microsoft Windows XP Professional or 
Windows Server 2003 family</q2:Supported> 

<q2:Category>Start Menu and Taskbar</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Gray unavailable Windows Installer programs Start 

Menu shortcuts</q2:Name> 
< q2 : State > Enabled </q2 : State > 

<q2:Explain>Displays Start menu shortcuts to partially installed 
programs in gray text.\n\nThis setting makes it easier for 
users to distinguish between pr grams that are fully installed 
and those that are only partially installed. \n\nPartially 
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installed pr grams include those that a system administrat r 
assigns using Windows Installer and th se that users have 
configured for full installation upon first use.\n\nlf you disable 
this setting or do not configure it, all Start menu shortcuts 
appear as black text.\n\nN te: Enabling this setting can make 
the Start menu slow to open.</q2:Explain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category>Start Menu and Taskbar</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Remove links and access to Windows 

Update</q2 : Name> 
<q2 : State > Enabled</q2 : State> 

<q2:Explain>Prevents users from connecting to the Windows 
Update Web site.\n\nThis setting blocks user access to the 
Windows Update Web site at 

http://windowsupdate.microsoft.com. Also, the setting 
removes the Windows Update hyperlink from the Start menu 
and from the Tools menu in Internet Explorer.\n\nWindows 
Update, the online extension of Windows, offers software 
updates to keep a user's system up-to-date. The Windows 
Update Product Catalog determines any system files, security 
fixes, and Microsoft updates that users need and shows the 
newest versions available for download. \n\nAlso, see the 
"Hide the "Add programs from Microsoft" option" 
setting. </q2 : Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Start Menu and Taskbar</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name> Remove Network Connections from Start 

Menu</q2:Name> 
<q2 : State > Enabled</q2 : State> 

<q2:Explain>Prevents users from running Network 
Connections. \n\nThis setting prevents the Network 
Connections folder from opening. This setting also removes 
Network Connections from Settings on the Start 
menu.\n\nNetwork Connections still appears in Control Panel 
and in Windows Explorer, but if users try to start it, a message 
appears explaining that a setting prevents the action. \n\nAlso, 
see the "Disable programs on Settings menu" and "Disable 
Control Panel" settings and the settings in the Network 
Connections folder (Computer Configuration and User 
Configuration \Administrative Templates\Network\Network 
Connections). </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Start Menu and Taskbar</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name> Don't display the Getting Started welcome screen at 

logon</q2:Name> 
<q2 : State > Enabled </q2 : State> 

<q2: Explain >Supresses the welcome screen. \n\nThis setting 
hides the welcome screen that is displayed on Windows 2000 
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Professional and Wind ws XP Professional each time the user logs 
on.\n\nUsers can still display the welcome screen by selecting 
it on the Start menu or by typing "Welcome" in the Run dialog 
box.\n\nThis setting applies only to Windows 2000 
Professi nal and Wind ws XP Professional. It does not affect 
the "Configure Your Server on a Windows 2000 Server" screen 
n Windows 2000 Server. \n\nNote: This setting appears in the 
Computer Configuration and User Configuration folders. If both 
settings are configured, the setting in Computer Configuration 
takes precedence over the setting in User 
Configuration. \n\nTip: To display the welcome screen, click 
Start, point to Programs, point to Accessories, point to System 
Tools, and then click "Getting Started." To suppress the 
welcome screen without specifying a setting, clear the "Show 
this screen at startup" check box on the welcome 
screen. </q2 : Explain> 
<q2:Supported>Only works on Microsoft Windows 

2000</q2:Supported> 
<q2 :Category>System</q2 :Category> 

</q2: Policy > 

- <q2:Policy> 

<q2:Name>Prevent access to registry editing tools</q2:Name> 

<q2 : State > Enabled </q2 : State > 

<q2:Explain>Disables the Windows registry editor 
Regedit.exe. \n\nlf this setting is enabled and the user tries to 
start a registry editor, a message appears explaining that a 
setting prevents the action. \n\nTo prevent users from using 
other administrative tools, use the "Run only allowed Windows 
applications" setting. </q2 : Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>System</q2:Category> 
</q2: Policy > 

- <q2: Policy > 

<q2:Name>Turn off Autoplay</q2:Name> 
<q2 : State> Enabled</q2 : State > 

<q2:Explain>Turns off the Autoplay feature. \n\nAutoplay begins 
reading from a drive as soon as you insert media in the drive. 
As a result, the setup file of programs and the music on audio 
media start immediately. \n\nBy default, Autoplay is disabled 
on removable drives, such as the floppy disk drive (but not the 
CD-ROM drive), and on network drives. \n\nlf you enable this 
setting, you can also disable Autoplay on CD-ROM drives or 
disable Autoplay on all drives. \n\nThis setting disables 
Autoplay on additional types of drives. You cannot use this 
setting to enable Autoplay on drives on which it is disabled by 
default. \n\nNote: This setting appears in both the Computer 
Configuration and User Configuration folders. If the settings 
conflict, the setting in Computer Configuration takes 
precedence over the setting in User Configuration. \n\nNote: 
This setting does not prevent Autoplay for music 
CDs.</q2:Explain> 

<q2:Supported>At least Micros ft Wind ws 2000</q2:Supported> 

<q2:Category>System</q2:Category> 
- <q2:DropDownList> 
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<q2:Name>Turn off Autoplay n:</q2:Name> 
<q2:State>Enabled</q2:State> 
- <q2:Value> 

<q2:Name>AII drives </q2:Name> 
</q2:Value> 
</q2:DropDownl_ist> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Run logon scripts synchronously</q2:Name> 
< q2 : State > Enabled</q2 : State > 

<q2: Explain > Directs the system to wait for the logon scripts to 
finish running before it starts the Windows Explorer interface 
program and creates the desktop. \n\nlf you enable this 
setting, Windows Explorer does not start until the logon scripts 
have finished running. This setting ensures that logon script 
processing is complete before the user starts working, but it 
can delay the appearance of the desktop. \n\nlf you disable 
this setting or do not configure it, the logon scripts and 
Windows Explorer are not synchronized and can run 
simultaneously.\n\nThis setting appears in the Computer 
Configuration and User Configuration folders. The setting set in 
Computer Configuration takes precedence over the setting set 
in User Configuration. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>System/Scripts</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Limit profile size</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Sets the maximum size of each user profile and 
determines the system's response when a user profile reaches 
the maximum size.\n\nlf you disable this setting or do not 
configure it, the system does not limit the size of user 
profiles.\n\nIf you enable this setting, you can do the 
following:\n\n— Seta maximum permitted user profile 
size;\n\n— Determine whether the registry files are included in 
the calculation of the profile size;\n\n« Determine whether 
users are notified when the profile exceeds the permitted 
maximum size;\n\n— Specify a customized message notifying 
users of the oversized profile; \n\n-- Determine how often the 
customized message is displayed. \n\nNote: This setting 
affects both local and roaming profiles. </q2:Explain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category>System/User Profiles</q2:Category> 

- <q2:EditText> 

<q2:Name>Custom Message</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Value>You have exceeded your profile storage space. 
Before you can log off, you need to move some items from 
your profile to network or I cal st rage.</q2:Value> 

</q2;EditText> 

- <q2:Numeric> 

<q2:Name>Max Pr file size (KB)</q2:Name> 
<q2 : State> Enabled </q2 :State> 



Page 16 of 29 

<q2:Value>30000</q2:Value> 
</q2:Numeric> 

- <q2:CheckBox> 

<q2:Name>Include registry in file list</q2:Name> 
<q2:State>Disabled</q2:State> 
</q2:CheckBox> 

- <q2:CheckBox> 

<q2:Name> Notify user when profile storage space is 

exceeded. </q2 : Name> 
<q2:State>Enabled</q2:State> 
</q2:CheckBox> 

- <q2:Numeric> 

<q2:Name>Remind user every X minutes:</q2:Name> 
<q2 : State > Enabled </q2 : State > 
<q2:Value>15</q2:Value> 
</q2:Numeric> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Disable changing Advanced page settings</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from changing settings on the 
Advanced tab in the Internet Options dialog box.\n\nIf you 
enable this policy, users are prevented from changing 
advanced Internet settings, such as security, multimedia, and 
printing. Users cannot select or clear the check boxes on the 
Advanced tab.\n\nlf you disable this policy or do not configure 
it, users can select or clear settings on the Advanced 
tab.\n\nlf you set the "Disable the Advanced page" policy 
(located in \User Configuration\Administrative 
Templates\Windows Components\Internet Explorer\Internet 
Control Panel), you do not need to set this policy, because the 
"Disable the Advanced page" policy removes the Advanced tab 
from the interface.</q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2:Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>Disable changing certificate settings</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2;Explain>Prevents users from changing certificate settings in 
Internet Explorer. Certificates are used to verify the identity of 
software publishers.\n\nlf you enable this policy, the settings 
in the Certificates area on the Content tab in the Internet 
Options dialog box appear dimmed. \n\nlf you disable this 
policy or do not configure it, users can import new certificates, 
remove approved publishers, and change settings for 
certificates that have already been accepted. \n\nThe "Disable 
the Content page" policy (located in \User 
C nfiguration\Administrative Templates\Wind ws 
Components\Internet Explorer\Internet Control Panel), which 
removes the Content tab fr m Internet Explorer in Control 
Panel, takes precedence ver this p licy. If it is enabled, this 
p licy is ignored. \n\nCaution: If y u enable this policy, users 
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can still run the Certificate Manager Import Wizard by d uble- 

clicking a software publishing certificate (.spc) file. This wizard 
enables users to import and configure settings for certificates 
f r m s ftware publishers that haven't already been configured 
for Internet Explorer. </q2:Explain> 
<q2:Supported>at least Internet Explorer v5.0K/q2:Supported> 
<q2:Category>Windows Comp nents/Internet 
Explorer </q2: Category > 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Disable changing default browser check</q2:Name> 
< q2 : State > Enabled </q2 : State > 

<q2: Explain > Prevents Microsoft Internet Explorer from checking 
to see whether it is the default browser. \n\nlf you enable this 
policy, the Internet Explorer Should Check to See Whether It Is 
the Default Browser check box on the Programs tab in the 
Internet Options dialog box appears dimmed. \n\nlf you 
disable this policy or do not configure it, users can determine 
whether Internet Explorer will check to see if it is the default 
browser. When Internet Explorer performs this check, it 
prompts the user to specify which browser to use as the 
default.\n\nThis policy is intended for organizations that do 
not want users to determine which browser should be their 
default.\n\nThe "Disable the Programs page" policy (located in 
\User Configuration\Administrative Templates\Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Programs tab from Internet Explorer in Control 
Panel, takes precedence over this policy. If it is enabled, this 
policy is ignored. </q2:Explain> 

<q2:Supported>at least Internet Explorer v5.0K/q2:Supported> 

<q2: Category > Windows Components/Internet 
Explorer</q2:Category> 
</q2: Policy > 

- <q2: Policy > 

<q2:Name>Disable changing ratings settings</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Prevents users from changing ratings that help 
control the type of Internet content that can be viewed. \n\nlf 
you enable this policy, the settings in the Content Advisor area 
on the Content tab in the Internet Options dialog box appear 
dimmed. \n\nlf you disable this policy or do not configure it, 
users can change their ratings settings.\n\nThe "Disable the 
Ratings page" policy (located in \User 
Configuration\Administrative Templates\Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Ratings tab from Internet Explorer in Control 
Panel, takes precedence over this policy. If it is enabled, this 
policy is ignored. </q2:Explain> 

<q2:Supported>at least Internet Explorer v5.0K/q2:Supported> 

<q2:Category> Windows Components/Internet 
Expl rer</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Disable changing Temporary Internet files 
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settings</q2 : Name> 
<q2:State>Enabled</q2:State> 

<q2: Explain > Prevents users from changing the browser cache 
settings, such as the location and am unt f disk space to use 
for the Temporary Internet Files folder. \n\nlf you enable this 
policy, the browser cache settings appear dimmed. These 
settings are found in the dialog box that appears when users 
click the General tab and then click the Settings button in the 
Internet Options dialog box.\n\nIf you disable this policy or do 
not configure it, users can change their cache settings. \n\nlf 
you set the "Disable the General page" policy (located in \User 
Configuration \Administrative Templates\ Windows 
Components\Internet Explorer\Internet Control Panel), you do 
not need to set this policy, because the "Disable the General 
page" policy removes the General tab from the 
interface.</q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2 :Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>Disable external branding of Internet 

Explorer</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Prevents branding of Internet programs, such as 
customization of Internet Explorer and Outlook Express logos 
and title bars, by another party. \n\nlf you enable this policy, it 
prevents customization of the browser by another party, such 
as an Internet service provider or Internet content 
provider. \n\nlf you disable this policy or do not configure it, 
users could install customizations from another party-for 
example, when signing up for Internet services. \n\nThis policy 
is intended for administrators who want to maintain a 
consistent browser across an organization. </q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2 :Category> Windows Components/Internet 
Explorer </q2 '.Category > 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Disable Internet Connection wizard </q2:Name> 
< q2 : State > Enabled </q2 : State > 

<q2: Explain > Prevents users from running the Internet Connection 
Wizard. \n\nlf you enable this policy, the Setup button on the 
Connections tab in the Internet Options dialog box appears 
dimmed. \n\nUsers will also be prevented from running the 
wizard by clicking the Connect to the Internet icon on the 
desktop or by clicking Start, pointing to Programs, pointing to 
Accessories, pointing to Communications, and then clicking 
Internet Connection Wizard. \n\nlf you disable this policy or do 
not configure it, users can change their connection settings by 
running the Internet Connect! n Wizard. \n\nNote: This p licy 
overlaps with the "Disable the C nnections page" policy 
(located in \User Configuration\Administrative 
Templates\Wind ws C mponents\Internet Expl rer\Internet 
C ntrol Panel), which removes the Connections tab fr m the 
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interface. Removing the Connections tab from the interface, 
h wever, d es n t prevent users from running the Internet 
Connecti n Wizard fr m the desktop or the Start 
menu. </q2: Explain > 
<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 
<q2:Category> Windows Components/Internet 
Explorer </q2 :Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Disable the Reset Web Settings feature</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from restoring default settings for 
home and search pages. \n\nlf you enable this policy, the 
Reset Web Settings button on the Programs tab in the Internet 
Options dialog box appears dimmed. \n\nlf you disable this 
policy or do not configure it, users can restore the default 
settings for home and search pages. \n\nThe "Disable the 
Programs page" policy (located in \User 
Configuration \Administrative Templates\ Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Programs tab from Internet Explorer in Control 
Panel, takes precedence over this policy. If it is enabled, this 
policy is ignored. </q2:Explain> 

<q2:Supported>at least Internet Explorer v5.0K/q2:Supported> 

<q2:Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Do not allow AutoComplete to save 

passwords</q2:Name> 
<q2 : State> Enabled </q2 : State > 

<q2;Explain> Disables automatic completion of user names and 
passwords in forms on Web pages, and prevents users from 
being prompted to save passwords. \n\nlf you enable this 
policy, the User Names and Passwords on Forms and Prompt 
Me to Save Passwords check boxes appear dimmed. To display 
these check boxes, users open the Internet Options dialog box, 
click the Content tab, and then click the AutoComplete 
button. \n\nlf you disable this policy or don't configure it, 
users can determine whether Internet Explorer automatically 
completes user names and passwords on forms and prompts 
them to save passwords. \n\nThe "Disable the Content page" 
policy (located in \User Configuration\Administrative 
Templates\Windows Components\Internet Explorer\Internet 
Control Panel), which removes the Content tab from Internet 
Explorer in Control Panel, takes precedence over this policy. If 
it is enabled, this policy is ignored. </q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2:Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Identity Manager: Prevent users from using 
Identities</q2:Name> 
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<q2 : State> Enabled </q2 :State > 

<q2:Explain>Prevents users fr m configuring unique identities by 
using Identity Manager.\n\nldentity Manager enables users to 
create multiple accounts, such as e-mail accounts, n the same 
computer. Each user has a unique identity, with a different 
password and different program preferences. \n\nlf you enable 
this policy, users will n t be able t create new identities, 
manage existing identities, or switch identities. The Switch 
Identity option will be removed from the File menu in Address 
Book.\n\nIf you disable this policy or do not configure it, users 
can set up and change identities.</q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2:Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Search: Disable Search Customization</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2: Explain > Makes the Customize button in the Search Assistant 
appear dimmed. \n\nThe Search Assistant is a tool that 
appears in the Search bar to help users search the 
Internet.\n\nlf you enable this policy, users cannot change 
their Search Assistant settings, such as setting default search 
engines for specific tasks. \n\nlf you disable this policy or do 
not configure it, users can change their settings for the Search 
Assistant.\n\nThis policy is designed to help administrators 
maintain consistent settings for searching across an 
organization. </q2: Explain > 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2: Category > Windows Components/Internet 
Explorer</q2:Category> 
</q2: Policy > 

- <q2: Policy > 

<q2:Name>Use Automatic Detection for dial-up 

connections</q2 : Name> 
<q2 : State> Enabled</q2 : State> 

<q2: Explain > Specifies that Automatic Detection will be used to 
configure dial-up settings for users. \n\nAutomatic Detection 
uses a DHCP (Dynamic Host Configuration Protocol) or DNS 
server to customize the browser the first time it is 
started. \n\nlf you enable this policy, users' dial-up settings 
will be configured by Automatic Detection. \n\nlf you disable 
this policy or do not configure it, dial-up settings will not be 
configured by Automatic Detection, unless specified by the 
user.</q2:Explain> 

<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 

<q2:Category> Windows Components/Internet 
Explorer</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>Help menu: Remove 'For Netscape Users' menu 

ption</q2:Name> 
<q2 : State > Enabled</q2 : State > 

<q2:Explain>Prevents users from displaying tips for users who 
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are switching from Netscape. \n\nlf y u enable this p licy, the F r 
Netscape Users command is removed from the Help 
menu.\n\nlf you disable this policy or do not configure it, 
users can display content ab ut switching from Netscape by 
clicking the For Netscape Users command on the Help 
menu.\n\nCaution: Enabling this policy does not remove the 
tips for Netscape users from the Micr s ft Internet Explorer 
Help file.</q2:Explain> 
<q2:Supported>at least Internet Explorer v5.0K/q2:Supported> 
<q2:Category> Windows Components/Internet Explorer/ Browser 
menus</q2:Category> 

</q2: Policy > 

- <q2:Policy> 

<q2:Name>Help menu: Remove 'Send Feedback' menu 

option</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from sending feedback to Microsoft 

by clicking the Send Feedback command on the Help 

menu.\n\nlf you enable this policy, the Send Feedback 

command is removed from the Help menu.\n\nlf you disable 

this policy or do not configure it, users can fill out an Internet 

form to provide feedback about Microsoft 

products. </q2:Explain> 
<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 
<q2:Category> Windows Components/Internet Explorer/Browser 

menus</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Help menu: Remove 'Tip of the Day' menu 

option</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from viewing or changing the Tip of 
the Day interface in Microsoft Internet Explorer. \n\nlf you 
enable this policy, the Tip of the Day command is removed from 
the Help menu.\n\nlf you disable this policy or do not 
configure it, users can enable or disable the Tip of the Day, 
which appears at the bottom of the browser.</q2:Explain> 
<q2:Supported>at least Internet Explorer v5.01</q2:Supported> 
<q2:Category> Windows Components/Internet Explorer/ Browser 
menus</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name> Restrict the user from entering author 

mode</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from entering author mode.\n\nThis 
setting prevents users from opening the Microsoft Management 
Console (MMC) in author mode, explicitly opening console files 
in author mode, and opening any console files that open in 
author mode by default.\n\nAs a result, users cannot create 
console files or add or remove snap-ins. Also, because they 
cannot pen auth r-mode console files, they cann t use the 
tools that the files c ntain.\n\nThis setting permits users to 
open MMC user-mode console files, such as th se on the 
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Administrative Tools menu in Wind ws 2000 Server family or 
Windows Server 2003 family. However, users cannot open a 
blank MMC console window n the Start menu. (To open the 
MMC, click Start, click Run, and type mmc.) Users also cannot 
open a blank MMC console window from a command 
pr mpt.\n\nlf you disable this setting or do not configure it, 
users can enter author mode and open author-mode console 
files.</q2:Explain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category>Windows Components/ Microsoft Management 
Console</q2:Category> 
</q2: Policy > 

- <q2: Policy > 

<q2:Name>Restrict users to the explicitly permitted list of snap- 

ins</q2:Name> 
<q2 : State > Enabled</q2 : State > 

<q2:Explain>Lets you selectively permit or prohibit the use of 
Microsoft Management Console (MMC) snap-ins. \n\n-- If you 
enable this setting, all snap-ins are prohibited, except those 
that you explicitly permit. Use this setting if you plan to 
prohibit use of most snap-ins. \n\n To explicitly permit a snap- 
in, open the Restricted/ Permitted snap-ins setting folder and 
enable the settings representing the snap-in you want to 
permit. If a snap-in setting in the folder is disabled or not 
configured, the snap-in is prohibited. \n\n— If you disable this 
setting or do not configure it, all snap-ins are permitted, except 
those that you explicitly prohibit. Use this setting if you plan to 
permit use of most snap-ins.\n\n To explicitly prohibit a snap- 
in, open the Restricted/ Permitted snap-ins setting folder and 
then disable the settings representing the snap-ins you want to 
prohibit. If a snap-in setting in the folder is enabled or not 
configured, the snap-in is permitted. \n\nWhen a snap-in is 
prohibited, it does not appear in the Add/Remove Snap-in 
window in MMC. Also, when a user opens a console file that 
includes a prohibited snap-in, the console file opens, but the 
prohibited snap-in does not appear. \n\nNote: If you enable 
this setting, and you do not enable any settings in the 
Restricted/Permitted snap-ins folder, users cannot use any 
MMC snap-ins. </q2:Explain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category> Windows Components/ Microsoft Management 
Console</q2:Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hide Advanced Properties Checkbox in Add Scheduled 

Task Wizard</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>This setting removes the "Open advanced properties 
for this task when I click Finish" checkbox from the last page 
of the Scheduled Task Wizard. This policy is only designed to 
simplify task creation for beginning users. \n\nThe checkbox, 
when checked, instructs Task Scheduler to automatically open 
the newly created task's property sheet upon completion of the 
"Add Scheduled Task" wizard. The task's property sheet allows 
users to change task characteristics such as: the program the 
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task runs, details f its schedule, idle time and power management 
settings, and its security context. Beginning users will often 
not be interested or confused by having the property sheet 
displayed aut matically. Note that the checkbox is not checked 
by default even if this setting is Disabled or Not 
Configured. \n\nNote: This setting appears in the Computer 
Configuration and User Configuration folders. If both settings 
are configured, the setting in Computer Configuration takes 
precedence over the setting in User Configuration. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/Task 
Scheduler</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Hide Property Pages</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from viewing and changing the 
properties of an existing task.\ri\nThis setting removes the 
Properties item from the File menu in Scheduled Tasks and 
from the context menu that appears when you right-click a 
task. As a result, users cannot change any properties of a task. 
They can only see the properties that appear in Detail view and 
in the task preview.\n\nThis setting prevents users from 
viewing and changing characteristics such as the program the 
task runs, its schedule details, idle time and power 
management settings, and its security context.\n\nNote: This 
setting appears in the Computer Configuration and User 
Configuration folders. If both settings are configured, the 
setting in Computer Configuration takes precedence over the 
setting in User Configuration. \n\nTip: This setting affects 
existing tasks only. To prevent users from changing the 
properties of newly created tasks, use the "Remove Advanced 
Menu" setting. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/Task 
Scheduler</q2:Category> 
</q2:Policy> 

- <q2:Policy> 

<q2:Name>Prevent Task Run or End</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from starting and stopping tasks 
manually. \n\nThis setting removes the Run and End Task 
items from the context menu that appears when you right-click 
a task. As a result, users cannot start tasks manually or force 
tasks to end before they are finished. \n\nNote: This setting 
appears in the Computer Configuration and User Configuration 
folders. If both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/Task 
Scheduler</q2 :Category> 
</q2:Policy> 

- <q2:Policy> 
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<q2:Name> Prohibit Browse</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Limits newly scheduled to items on the user's Start 
menu, and prevents the user from changing the scheduled 
program for existing tasks. \n\nThis setting removes the 
Browse button from the Schedule Task Wizard and from the 
Task tab of the properties dialog box for a task. Also, users 
cannot edit the "Run" box or the "Start in" box that determine 
the program and path for a task.\n\nAs a result, when users 
create a task, they must select a program from the list in the 
Scheduled Task Wizard, which displays only the tasks that 
appear on the Start menu and its submenus. Once a task is 
created, users cannot change the program a task 
runs.\n\nImportant: This setting does not prevent users from 
creating a new task by pasting or dragging any program into 
the Scheduled Tasks folder. To prevent this action, use the 
"Prohibit Drag-and-Drop" setting. \n\nNote: This setting 
appears in the Computer Configuration and User Configuration 
folders. If both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2 :Category> Windows Components/Task 
Scheduler</q2 :Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name> Prohibit Drag-and-Drop</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Prevents users from adding or removing tasks by 
moving or copying programs in the Scheduled Tasks 
folder. \n\nThis setting disables the Cut, Copy, Paste, and 
Paste shortcut items on the context menu and the Edit menu in 
Scheduled Tasks. It also disables the drag-and-drop features of 
the Scheduled Tasks folder. \n\nAs a result, users cannot add 
new scheduled tasks by dragging, moving, or copying a 
document or program into the Scheduled tasks folder. \n\nThis 
setting does not prevent users from using other methods to 
create new tasks, and it does not prevent users from deleting 
tasks. \n\nNote: This setting appears in the Computer 
Configuration and User Configuration folders. If both settings 
are configured, the setting in Computer Configuration takes 
precedence over the setting in User Configuration. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2: Category > Windows Components/Task 
Scheduler</q2 :Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Prohibit New Task Creation</q2:l\lame> 
<q2 : State > Enabled </q2 : State > 

<q2:Explain>Prevents users from creating new tasks. \n\nThis 
setting removes the Add Scheduled Task item that starts the 
New Task Wizard. Also, the system does not respond when 
users try to move, paste, r drag pr grams or documents into 
the Scheduled Tasks folder. \n\nNote: This setting appears in 
the Computer C nfigurati n and User Configuration folders. If 
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both settings are c nfigured, the setting in Computer 

Configuration takes precedence over the setting in User 
Configuration. \n\nImportant: This setting does not prevent 
administrat rs of a computer from using At.exe to create new 
tasks or prevent administrat rs fr m submitting tasks fr m 
remote computers.</q2:Explain> 
<q2:Supported>At least Micr s ft Wind ws 2000</q2:Supported> 
<q2:Category> Windows Comp nents/Task 
Scheduler</q2:Category> 

</q2: Policy > 

- <q2: Policy > 

<q2:Name>Prohibit Task Deletion</q2:Name> 
<q2 :State> Enabled</q2 : State> 

<q2: Explain > Prevents users from deleting tasks from the 
Scheduled Tasks folder.\n\nThis setting removes the Delete 
command from the Edit menu in the Scheduled Tasks folder 
and from the menu that appears when you right-click a task. 
Also, the system does not respond when users try to cut or 
drag a task from the Scheduled Tasks folder. \n\nNote: This 
setting appears in the Computer Configuration and User 
Configuration folders. If both settings are configured, the 
setting in Computer Configuration takes precedence over the 
setting in User Configuration. \n\nImportant: This setting does 
not prevent administrators of a computer from using At.exe to 
delete tasks. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/Task 
Scheduler</q2 :Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>Allow only per user or approved shell 

extensions</q2 : Name> 
<q2 : State > Enabled </q2 : State > 

<q2: Explain >This setting is designed to ensure that shell 
extensions can operate on a per-user basis. If you enable this 
setting, Windows is directed to only run those shell extensions 
that have either been approved by an administrator or that will 
not impact other users of the machine. \n\nA shell extension 
only runs if there is an entry in at least one of the following 
locations in registry.\n\nFor shell extensions that have been 
approved by the administrator and are available to all users of 
the computer, there must be an entry at 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell 
Extensions\Approved.\n\nFor shell extensions to run on a per- 
user basis, there must be an entry at 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell 

Extensions\Approved.</q2: Explain > 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category> Windows Components/Windows 

Explorer</q2:Category> 

</q2:Policy> 

- <q2:Policy> 

<q2:Name>Do not request alternate credentials</q2:Name> 
<q2:State>Enabled</q2:State> 
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<q2: Explain > Prevents users from submitting alternate logon 
credentials to install a program. \n\nThis setting suppresses 
the "Install Program As Other User" dialog box for local and 
network installati ns. This dialog box, which prompts the 
current user f r the user name and password of an 
administrator, appears when users who are not administrators 
try to install programs locally on their computers. This setting 
allows administrators wh have logged on as regular users to 
install programs without logging off and logging on again using 
their administrator credentials. \n\nMany programs can be 
installed only by an administrator. If you enable this setting 
and a user does not have sufficient permissions to install a 
program, the installation continues with the current user's 
logon credentials. As a result, the installation might fail, or it 
might complete but not include all features. Or, it might appear 
to complete successfully, but the installed program might not 
operate correctly, \n\nlf you disable this setting or do not 
configure it, the "Install Program As Other User" dialog box 
appears whenever users install programs locally on the 
computer. \n\nBy default, users are not prompted for alternate 
logon credentials when installing programs from a network 
share. If enabled, this setting overrides the "Request 
credentials for network installations" setting. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category>Windows Components/Windows 
Explorer</q2 :Category> 
</q2: Policy > 

- <q2:Policy> 

<q2:Name>Hides the Manage item on the Windows Explorer 

context menu</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2:Explain>Removes the Manage item from the Windows 
Explorer context menu. This context menu appears when you 
right-click Windows Explorer or My Computer.\n\nThe Manage 
item opens Computer Management (Compmgmt.msc), a 
console tool that includes many of the primary Windows 2000 
administrative tools, such as Event Viewer, Device Manager, 
and Disk Management. You must be an administrator to use 
many of the features of these tools. \n\nThis setting does not 
remove the Computer Management item from the Start menu 
(Start, Programs, Administrative Tools, Computer 
Management), nor does it prevent users from using other 
methods to start Computer Management.\n\nTip: To hide all 
context menus, use the "Remove Windows Explorer's default 
context menu" setting. </q2:Explain> 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/ Windows 
Explorer</q2:Category> 
</q2:Policy> 

- <q2: Policy > 

<q2:Name>No "Entire Network" in My Netw rk Places</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2: Explain > Removes all computers outside of the user's 
w rkgroup or local domain from lists of network resources in 
Wind ws Explorer and My Network Places.\n\nlf y u enable 
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this setting, the system removes the Entire Network option and the 
icons representing networked computers from My Network 
Places and fr m the browser associated with the Map Network 
Drive option. \n\nThis setting d es not prevent users from 
viewing or c nnecting t computers in their workgroup or 
domain. It also does not prevent users from connecting to 
remote computers by other commonly used methods, such as 
by typing the share name in the Run dialog b x or the Map 
Network Drive dialog box.\n\nTo remove computers in the 
user's workgroup or domain from lists of network resources, 
use the "No "Computers Near Me" in My Network Places" 
setting. \n\nNote: It is a requirement for third-party 
applications with Windows 2000 or later certification to adhere 
to this setting. </q2:Explain> 
<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 
<q2:Category> Windows Components/Windows 
Explorer</q2 .'Category > 

</q2: Policy > 

- <q2: Policy > 

<q2:Name>Remove Hardware tab</q2:Name> 
<q2 : State > Enabled </q2 : State > 

<q2: Explain > Removes the Hardware tab.\n\nThis setting 
removes the Hardware tab from Mouse, Keyboard, and Sounds 
and Audio Devices in Control Panel. It also removes the 
Hardware tab from the Properties dialog box for all local 
drives, including hard drives, floppy disk drives, and CD-ROM 
drives. As a result, users cannot use the Hardware tab to view 
or change the device list or device properties, or use the 
Troubleshoot button to resolve problems with the 
device. </q2: Explain > 

<q2:Supported>At least Microsoft Windows 2000</q2:Supported> 

<q2:Category> Windows Components/ Windows 
Explorer</q2 : Category > 
</q2: Policy > 

- <q2:Policy> 

<q2:l\lame> Prevent removable media source for any 

install</q2:Name> 
<q2:State>Enabled</q2:State> 

<q2;Explain>Prevents users from installing programs from 
removable media. \n\nlf a user tries to install a program from 
removable media, such as CD-ROMs, floppy disks, and DVDs, a 
message appears, stating that the feature cannot be 
found. \n\nThis setting applies even when the installation is 
running in the user's security context.\n\nIf you disable this 
setting or do not configure it, users can install from removable 
media when the installation is running in their own security 
context, but only system administrators can use removable 
media when an installation is running with elevated system 
privileges, such as installations offered on the desktop or in 
Add or Remove Programs.\n\nAlso, see the "Enable user to 
use media source while elevated setting" in C mputer 
Configuration\Administrative Templates\Windows 
C mponents\Wind ws Installer. \n\nAlso, see the "Hide the 
'Add a program from CD-ROM or floppy disk' ption" setting in 
User Configurati n\Administrative Templates\Contr I 
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Panel\Add or Remove Programs.</q2:Explain> 
<q2:Supported>At least Micros ft Windows 2000</q2:Supported> 
<q2:Category> Windows Components/Windows 
Installer</q2:Category> 

</q2:Policy> 

- <q2:RegistrySetting> 

<q2:KeyPath>Software\Policies\Microsoft\Windows\Network 

Connections</q2 : KeyPath> 
<q2:AdmSetting>false</q2:AdmSetting> 

- <q2:Value> 

<q2:Name>NC_ShowSharedAccessUI</q2:Name> 

<q2:Number>0</q2:Number> 
</q2:Value> 
</q2 : Registry Setting > 
</Extension> 

<Name> Registry </Name> 
</ExtensionData> 

- <ExtensionData> 

- < Extension 

xmlns:q3="http:// www. microsoft.com/GroupPolicy/Settings/IE" 
xsi:type="q3:InternetExplorerSettings"> 

<q3:PreferenceMode>true</q3:PreferenceMode> 
</Extension> 

<Name>Internet Explorer Maintenance</Name> 

</ExtensionData> 

- <ExtensionData> 

< Extension 

xmlns:q4 = ,, http://www.microsoft.com/GroupPolicy/Settings/SoftwareInstallatic 
xsi:type= M q4:SoftwareInstalIationSettings" /> 
<Name>Software Installation</Name> 

</ExtensionData> 

- <ExtensionData> 

- <Extension 

xmlns:q5= M http://www. microsoft.com/GroupPolicy/Settings/PublicKey" 
xsi;type="q5:PublicKeySettings"> 

- <q5:AutoEnrollmentSettings> 

<q5:Enrol!CertificatesAutomatically>true</q5:EnrollCertificatesAutomaticaliy> 

- <q5:Options> 

<q5:RenewUpdateRevoke>false</q5:RenewUpdateRevoke> 
<q5:UpdateTemplates>false</q5:UpdateTemplates> 
</q5:Options> 

</q5:AutoEnrollmentSettings> 
</Extension> 

<Name>Public Key</Name> 
</ExtensionData> 
</User> 
- <LinksTo> 

<SOMName> Lightly Managed</SOMName> 

<SOMPath>GPMCDem .com/Corp Headquarters/User Accounts/ Lightly 

Managed</SOMPath> 
<Enabled>true</Enabled> 
<NoOverride>false</NoOverride> 
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</LinksTo> 
</GPO> 



APPENDIX C 

HTML for RSOP CFIG. 19) 

<html dir="ltr" xmlns:v= M urn:schemas-microsoft-com:vml" 

gpmc_reportlnitialized="false"> 

<head> 

<meta http-equi v="Content-Type" content= ,, text/html ; charset=UTF-16" /> 

<title>GPMCDEMO\anthonyc on GPMCDEMO\WS03EE</title> 

<! — Styles — > 

<style type= M text/css"> 

body { background-color :#FFFFFF; border :lpx solid #666666; 
color : #000000; font-size : 68%; font-family :Tahoma; margin :0,0,10px,0; word- 
break : normal ; word-wrap: break-word; } 

table { font-size: 100%; table-! ayout:fixed; width: 100%; } 

td,th { overflowivisible; text-align: left; vertical-align:top; 
white-space : normal ; } 

.title { background:#FFFFFF; border:none; color :#333333; 
display: block; height :24px; margin: Opx, Opx, -lpx, Opx; padding-top :4px; 
position: relative; table-layout : fixed; width:100%; z-index:5; } 

.he0_expanded { background-color :#FEF7D6; border:lpx solid 
#BBBBBB ; color :#3333CC; cursor:hand; display : block; font-family :Tahoma; font- 
size: 100% ; f ont-wei ght : bol d ; hei ght : 2 . 2 5em ; margi n-bottom : -lpx ; margi n-1 eft : Opx ; 
margi n- ri ght : Opx ; paddi ng-1 ef t : 8px ; paddi ng- ri ght : 5em ; paddi ng-top : 4px ; 
position: relative; width: 100%; } 

.hel_expanded { background-color :#A0BACB; border:lpx solid 
#BBBBBB ; color : #000000; cursor:hand; display :block; font-family :Tahoma; font- 
size:100%; font-weight : bold; height :2 ,25em; margi n-bottom: -lpx; margin-left :10px; 
margi n- ri ght : Opx ; paddi ng-1 eft : 8px ; paddi ng- ri ght : 5em ; paddi ng-top : 4px ; 
position: relative; width: 100%; } 

.hel { background-color :#A0BACB; border:lpx solid #BBBBBB; 
color : #000000; cursor:hand; display:block; font-family :Tahoma; font-size: 100%; font- 
weighf.bold; height :2.25em; margi n-bottom: -lpx; margin-left :10px; margin-right :0px; 
padding-left :8px; paddi ng-ri ght : 5em; paddi ng-top :4px; position: relative; width: 100%; 



,he2 { background-color :#C0D2DE; border:lpx solid #BBBBBB; 
color : #000000; cursor : hand; display : block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2.25em; margi n-bottom: -lpx; margin-left :20px; margin-right :0px ; 
paddi ng-1 eft :8px; padding-right : 5em; paddi ng-top :4px; position: relative; width:100%; 



.he3 { background-color :#D9E3EA; border: lpx solid #BBBBBB ; 
color: #000000; cursor:hand; display:block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margin-bottom: -lpx ; margin-left :30px; margin-right :0px, 
padding-left :llpx; paddi ng-ri ght : 5em; paddi ng-top :4px; position: relative; 
width: 100%; } 

.he4 { background-color :#E8E8E8; border: lpx solid #BBBBBB ; 
color : #000000; cursor:hand; display :block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margi n-bottom: -lpx; margin-left :40px; margin-right :0px ; 
paddi ng-1 eft : llpx ; paddi ng-ri ght : 5em ; paddi ng-top : 4px ; posi t i on : rel ati ve ; 
width: 100%; } 

.he4h { background-color:#E8E8E8; border:lpx solid #BBBBBB; 
col or: #000000; cursor:hand; display :block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margi n-bottom: -lpx; margin-left :45px; margin-right :0px; 



padding-left :llpx; padding-right :5em; padding-top:4px; position: relative; 
width: 100%; } 

.he4i { background-color :#F9F9F9; border:lpx solid #BBBBBB; 
col or: #000000; display :block; font-family :Tahoma; font-size: 100%; margin-bottom :- 
lpx; margin-left:45px; margin-right :0px; padding-bottom: 5px ; padding-left :21px; 
padding-top :4px; position: relative; width: 100%; } 

.he5 { background-color :#E8E8E8; border:lpx solid #BBBBBB; 
color :#000000; cursor:hand; display : block; font-family :Tahoma; font-size: 100%; font- 
weight:bold; height :2 .25em; margin-bottom: -lpx; margin-left:50px; margin-right:0px; 
padding-left :llpx; padding-right :5em; padding-top:4px; position: relative; 
width: 100%; } 

.he5h { background-color :#E8E8E8; border: lpx solid #BBBBBB; 
col or: #000000; cursor:hand; display : block; font-family :Tahoma; font-size: 100%; 
padding-left :llpx; padding- right :5em; padding-top :4px; margin-bottom: -lpx; margin- 
left :55px; margin-right:0px; position: relative; width:100%; } 

.he5i { background-color :#F9F9F9; border:lpx solid #BBBBBB; 
col or: #000000; display : block; font-family :Tahoma; font-size: 100%; margin-bottom :- 
lpx; margin-! eft :55px; margin-right :0px; padding-left :21px; padding- bottom: 5px; 
padding-top: 4px; position: relative; width: 100%; } 

DIV .expando { color : #000000; text-decoration: none; display: block; 
font-family :Tahoma; font-size: 100%; font-weight : normal ; position: absolute; 
right :10px; text-decoration: underline; z-index: 0; } 

.heO .expando { font-size : 100%; } 

.info, . info3, . info4, .disalign { 1 i ne-height : 1. 6em; 
padding:0px,0px,0px,0px; margin:0px,0px,0px,0px; } 

.disalign TD { padding-bottom :5px; padding- 

right:10px; } 

.info TD { padding- right:10px; width: 50%; } 

.info3 TD { padding- right :10px; width: 33%; } 

.info4 TD, .info4 TH { padding-right:10px; width: 2 5%; } 

.info TH, .info3 TH, .info4 TH, .disalign TH { border-bottom:lpx 
solid #CCCCCC; padding- right :10px; } 

.subtable, .subtable3 { border:lpx solid #CCCCCC; 

margin-left:0px; background :#FFFFFF; margin-bottom :10px; } 

.subtable TD, .subtable3 TD { padding-left :10px; padding- 

right:5px; padding-top :3px; padding-bottom :3px; line-height :l.lem; width:10%; } 

.subtable TH, .subtable3 TH { border-bottom: lpx solid #CCCCCC; 

font-wei ght: normal ; padding-left :10px; line-height :1.6em; } 

.subtable .footnote { border-top: lpx solid #CCCCCC; } 

,subtable3 .footnote, .subtable .footnote { border-top: lpx solid 

#cccccc; } 

.subtabl enframe { background :#D9E3EA; border: lpx solid #CCCCCC; 
margin-bottom :10px; margin-! eft :15px; } 

.subtable_frame TD { line-height :l.lem; padding-bottom :3px; 
padding-left:10px; padding-right :15px; padding-top :3px; } 



,subtable_frame TH { border-bottom: lpx solid #CCCCCC; font- 
weight : normal ; padding-left :10px; line-height :1.6em; } 

.subtablelnnerHead { border-bottom: lpx solid #CCCCCC; border-top: lpx 

solid #cccccc; } 

.explain! ink { color :#000000; text-decoration: none; 

cursor: hand; } 

.explainl ink: hover { color :#0000FF; text-decoration underline; 

} 

.spacer { background transparent; border: lpx solid #BBBBBB ; 
color :#FFFFFF; display:block; font-family:Tahoma; font-size : 100%; height:10px; 
margin-bottom: -lpx; margin-left :43px; margin- right :0px; padding-top: 4px; 
position: relative; } 

.filler { background transparent ; border:none; color :#FFFFFF; 
display: block; font: 100% Tahoma; line-height :8px; margin-bottom: -lpx; margin- 
left:43px; margin-right :0px; padding-top :4px ; position: relative; } 

.container { display: block; position:relative; } 

.rsopheader { background-color :#A0BACB; border-bottom: lpx solid 
black; color:#333333; font-family :Tahoma; font-size: 130%; font-weight : bold; padding- 
bottom: 5px; text-al ign: center ; } 

.rsopname { color :#333333; font-family : tahoma; font-size: 130%; font- 
weight: bold; padding-left :llpx; } 

.gponame{ color :#333333 ; font-family :Tahoma; font-size : 130%; font- 
weight: bold; padding-left :llpx; } 

.gpotype{ color :#333333; font-famil y :Tahoma; font-size : 100%; font- 
weight: bold; padding-left :llpx; } 

#uri { color:#333333; font-family :Tahoma; font-size: 100%; 
paddi ng-1 eft : llpx ; } 

#dtstamp{ color:#333333; font-family :Tahoma; font-size: 100%; 
paddi ng-1 eft: llpx; text-al ign: left; width: 30%; } 

#objshowhide { col or: #000000; cursor:hand; font-family :Tahoma; font- 
size:100%; font-weight: bold; margin-right :0px ; paddinq-right:10px; text-align: right ; 
text-decoration underline; z-index:2; word-wrap : normal ; } 

#gposummary { display : block; } 

#gpoinformation { display: block; } 

©media print { 

#objshowhide{ display: none; } 

body { color: #000000; border: lpx solid #000000; } 
.title { color :#000000; border: lpx solid #000000; } 
.he0_expanded { color : #000000; border: lpx solid #000000; } 
.heLexpanded { color : #000000 ; border: lpx solid #000000; } 
.hel { color :#000000; border: lpx solid #000000; } 



#000000; } 



.he2 


{ 


color 


: #000000; 


background :#EEEEEE; border :lpx solid 


.he3 


{ 


color 


: #000000; 


border :lpx solid #000000; 


} 


.he4 


{ 


color 


: #000000; 


border :lpx solid #000000; 


} 


.he4h 


{ 


color 


: #000000; 
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border :lpx solid #000000 


} 


.he5 


{ 


color 


: #000000; 


border :lpx solid #000000 


; } 


.he5h 


{ 


color 


: #000000; 


border :lpx solid #000000 


; } 


.he5i 


{ 


color 


: #000000; 


border :lpx solid #000000 


; } 



} 

v\ : * {behavi or : url (#def aul t#VML) ; } 



</style> 

<!-- Script 1 --> 

<script language= n vbscript"> 
<!-- 



1 string M strShowHide(0/l) n 
' 0 = Hide all mode. 
' 1 = Show all mode. 
strShowHide = 1 

localized strings 
strshow = "show" 
strHide = "hide" 
strShowAll = "show all" 
strHideAll = "hide all" 
strshown = "shown" 
strHidden = "hidden" 
strExpandoNumPixelsFromEdge = "10px' 



Function isSectionHeader(obj) 

isSectionHeader = (obi .className = "he0_expanded") or (obj .className = 
"heLexpanded") Or (obi .className = "hel") Or (obi .className = M he2") or 
(obi. className = "he3"J or (obj .className = "he4") Or (obj .className = M he4h M ) 
(obj .className » "heS") Or (obj .className = M he5h M ) 
End Function 



or 



Function isSectionExpandedByDefaul t (objHeader) 

isSectionExpandedByDefault = (Right (objHeader. className, Len("_expanded )) = 
"^expanded") 
End Function 



' strstate must be show | hide | toggle 

sub SetSectionState(objHeader , strstate) 

' Get the container object for the section. 

obj . 



It's the first one after the header 



i = objHeader .sourcelndex 

set al 1 = objHeader.parentElement.document.au 



While (all (i) .className <> "container") 
i = i + 1 

wend 

Set objcontainer = all(i) 

If strstate = "toggle" Then 

If objcontainer. style. display = "none" Then 
Setsectionstate objHeader, "show" 

Else 

Setsectionstate objHeader, "hide" 
End If 

Else 

Set objExpando = objHeader .children. item(l) 

If strstate = "show" Then 

objcontainer .style. display = "block" 
objExpando. innerText = strHide 

Elself strstate = "hide" Then 

objcontainer .style. display = "none" 
objExpando. innerText = strshow 
End If 
End If 
End Sub 



Sub ShowSection (objHeader) 

Setsectionstate objHeader, "show" 
End Sub 



sub HideSection(objHeader) 

Setsectionstate objHeader, "hide" 
End Sub 



Sub ToggleSection(objHeader) 

Setsectionstate objHeader, "toggle" 
End Sub 



' When user clicks anywhere in the document body, determine if user is clicking 
' on a header element. 



Function document_onclick() 

Set strsrc = window. event .srcElement 

While (strsrc. className = "sectionTitl e" Or strsrc . className = "expando" Or 
strsrc. className = "vml image") 

Set strsrc = strsrc. parentElement 

Wend 

' Only handle clicks on headers. 

If Not isSectionHeader(strsrc) Then Exit Function 

ToggleSection strsrc 

wi ndow. event. returnValue = False 
End Function 



1 link at the top of the page to collapse/expand all collapsable elements 



Function objshowhide_onCl ick() 

Set objBody = document .body. all 
Select Case strshowHide 
case 0 

strshowHide = 1 

objshowhide.innerText = strShowAll 
For Each obji in objBody 

If IsSectionHeader(obji) Then 
Hidesection obji 

End If 

Next 
Case 1 

strshowHide = 0 

objshowhide.innerText = strHideAll 
For Each obji In objBody 

If isSectionHeader(obji) Then 
Showsection obji 

End If 

Next 
End Select 
End Function 



' onload collapse all except the first two levels of headers (heO, hel) 



Function window_onload() 

' only initialize once. The ui may reinsert a report into the webbrowser 
control , 

' firing onLoad multiple times. 

If UCase (document . documentEl ement . getAtt ri bute ("gpmc_reportlni ti al i zed") ) <> 
"TRUE" Then 

' initialize sections to default expanded/collapsed state. 
Set objBody = document .body. all 

For Each obji in objBody 

If isSectionHeader(obji) Then 

If isSectionExpandedByDefault(obji) Then 
Showsection obji 

Else 

Hidesection obji 
End If 
End If 

Next 

objshowhide.innerText = strShowAll 

document . documentEl ement . setAtt ri bute M gpmc_reportlni ti al i zed" , "true" 
End If 
End Function 



' when direction (ltr/rtl) changes, change adjust for readability 
i 

Function document_onPropertyChange() 

If window. event. propertyName = "dir" Then 
Cal 1 f DetDi r (UCase (document . di r) ) 

End If 
End Function 



Function fDetDi r(strDi r) 
strDir = UCase(strDi r) 
select Case strDir 
Case "LTR" 

Set col Rules = document .stylesheets (0) . rules 
For i = 0 To col Rules. length -1 

Set nug = col Rules .item(i) 

strclass = nug.selectorText 

If nug.style.textAlign = "right" Then 
nug.style.textAlign = "left" 

End If 

select Case strclass 
Case "Div .expando" 

nug. style. Left = "" 

nug. style. right = strExpandoNumPixelsFromEdge 
case ,, #objshowhide" 

nug.style.textAlign = "right" 
End Select 

Next 
Case "RTL" 

Set col Rules = document .stylesheets (0) . rules 
For i = 0 To col Rules. length -1 

Set nug = col Rules . item(i) 

strclass = nug.selectorText 

If nug.style.textAlign = "left" Then 
nug.style.textAlign = "right" 

End If 

Select case strclass 
Case "DIV .expando" 

nug. style. Left = StrExpandoNumPixelsFromEdge 
nug. style. right = "" 
Case "#objshowhide" 

nug.style.textAlign = "left" 
End Select 

Next 
End Select 
End Function 



'When printing reports, if a given section is expanded, let's says "shown" (instead 
of "hide" in the UI) . 

i 

Function window_onbeforeprint() 
For Each obji In document. all 

If obji .className = "expando" Then 

If obji . innerText = strHide Then obji . innerText = strshown 
If obji .innerText = strshow Then obji .innerText = strHidden 
End If 

Next 
End Function 



'If a section is collapsed, change to "hidden" in the printout (instead of "show"). 

Function window_onafterprint() 
For Each obji In document. all 

if obji .className = "expando" Then 

If obji .innerText = strshown Then obii .innerText = strHide 
if obji . innerText = strHidden Then obji . innerText = strshow 
End If 

Next 
End Function 



1 Adding keypress support for accessibility 



Function document_onKeyPress() 

If window. event. keycode = "32" Or wi ndow. event .keyCode = 13 Or 
wi ndow. event. keycode = "10" Then 'space bar (32) or carriage return (13) or line 
feed (10) 

If window. event. srcElement .className = "expando" Then Call 
document_onclick() : window. event . returnValue = false 

If window. event. srcElement. className = "sectionTitle" Then Call 
document_onclick() : wi ndow. event . returnValue = false 

If window. event. srcElement. id = "objshowhide" Then Call 
objshowhide_onClick() : wi ndow. event . returnValue = false 

End If 
End Function 

— > 

</script> 

<!-- Script 2 --> 

<script language="javascript"> 
<!-- 

function getExpl ai nwi ndowTitl e() 

return document . getEl ementById("expl ai nText_wi ndowTi tl e") . i nnerHTML ; 

} 

f uncti on getExpl ai nwi ndowstyl es () 

return document . getEl ementByld ("expl ai nText_wi ndowstyl es"). i nnerHTML ; 

} 

f uncti on getExpl ai nwi ndowSetti ngPathLabel () 

1 retu rn document . getEl ementByld ("expl ai nText_setti ngPathLabel ") . i nnerHTML ; 

} 

function getExpl ai nWi ndowExpl ai nText Label () 

" return document . getEl ementByld ("expl ai nText_expl ai nTextLabel ") . i nnerHTML ; 

function getExpl ai nwi ndowPri ntButton() 

return document .getEl ementByld ("expl ainText_printButton") .innerHTML; 

} 

function getExpl ainWindowCloseButton() 

return document .getEl ementByld("explainText_closeButton") .innerHTML; 

} 

function getNoExpl ai nTextAvai 1 abl e() 
return 

document . getEl ementById("expl ai nText_noExpl ai nTextAvai 1 abl e") . i nnerHTML ; 

f uncti on getExpl ai nwi ndowSupportedLabel () 

return document .getEl ementByld("explainText_supportedLabel ") .innerHTML; 

} 

function getNoSupportedTextAvailableQ 



{ 

return 

document . getEl ementByld("expl ai nText_nosupportedTextAvai 1 abl e") . i nnerHTML ; 



f unct i on s howExpl ai nText (s rcEl ement) 
{ 

var strSettingName = srcElement .getAttribute("gpmc_settingName") ; 
var strSettingPath = srcElement .qetAttribute( ,, gpmc_settingPath ,, ) ; 
var strSettingDescription = srcElement .getAttnbute( ,, gpmc_settingDescription H ) ; 

if (strSettingDescription == "") 

strSettingDescription = getNoExplainTextAvailableQ ; 



var strsupported = srcElement .getAttribute("gpmc_supported") ; 
if (strsupported == "") 

strsupported = getNoSupportedTextAvailable() ; 



var strHtml = ,, <html>\n n ; 
strHtml += "<head>\n" ; 

strHtml += "<title>" + getExpl ai nwi ndowTitle() + "</title>\n" ; 
strHtml += "<style type=' text/ess' >\n" + getExplainWindowStyles() + 
"</style>\n"; 

strHtml += "</head>\n"; 
strHtml += "<body>\n" ; 

strHtml += "<div class=' head '>" + strSettinqName +"</di v>\n" ; 

strHtml += "<div class= , path'><b>" + getExplainWindowSettingPathLabel () + 
n </b><br/> H + strSettingPath +"</di v>\n" ; 

strHtml += "<div class= , path , xb>" + getExplainWindowSupportedLabel () + 
"</bxbr/>" + strsupported +*'</di v>\n" ; 

strHtml += "<div class= , info'>\n n ; 

strHtml += "<div class= l hdr , >" + getExpl ainWindowExplai nText Label () + 
"</div>\n"; 

strHtml += "<div class='bdy'>" + strSettingDescription + "</div>\n u ; 

strHtml += "<div class='btn'> M ; 

strHtml += getExpl ai nwi ndowPri ntButton() ; 

strHtml += getExpl ai nwi ndowcl oseButtonO ; 

strHtml += rf </divx/bodyx/html>" ; 

var strDiagArgs = "height=360px , width=630px, status=no, toolbar=no, 
scroll bars=yes, resizable=yes " ; 

var expwin = window. open( ,,M , "expwin" , strDiagArgs); 

expwi n . document .write ("") ; 

expwin. document .close() ; 

expwi n . document . wri te (strHtml ) ; 

expwi n . document . cl ose () ; 

expwi n.focusO ; 

//cancels navigation for IE. 

if (navigator . userAgent .indexof ("MSIE") > 0) 

window. event . returnValue = false; 



return false; 



</script> 



</head> 
<body> 

<!-- HTML resources — > 

<div style="di splay: none ;"> , . ... 

<div id="explainText_windowTitle">Group Policy Management</div> 

<di v i d="expl ai nText_wi ndowStyl es"> 

body { font-size: 68%; font-f ami ly:Tahoma; 
margin :0px,0px,0px,0px; border: lpx solid #666666; background :#F6F6F6; width :100%; 
word-break : normal ; word-wrap: break-word; } 

.head { font-weight:bold; font-size: 160%; font- 
family :Tahoma; width:100%; color:#6587DC; background :#E3EAF9 ; border:lpx solid 
#5582D2; padding-left:8px; height :24px; } 

.path { margin-left: lOpx; margin-top: lOpx; margin- 

bottom:5px; width: 100%; } 

.info { paddi ng-1 eft :10px; width: 100%; } 

table { font-size: 100%; width: 100%; border: lpx solid 

#999999; } 

th { border-bottom: lpx solid #999999; text- 
align: left; paddi ng-1 eft :10px; height :24px; } 

td { background :#FFFFFF; paddi ng-1 eft :10px; paddi ng- 
bottom:10px; paddi ng-top:10px; } 

.btn { width:100%; text-align: right; margin-top :16px; } 

hdr { font-weight: bold; border:lpx solid #999999; 
text-align: left; padding-top: 4px; paddi ng-1 eft :10px; height :24px; margin-bottom :- 
lpx; width: 100%; } 

.bdy { width: 100%; height: 182 px; display: block; 
overflow:scroll; z-index:2; background :#FFFFFF; paddi ng-1 eft :10px; padding- 
bottom:10px; paddi ng-top:10px; border:lpx solid #999999; } 

button { width:6.9em; height:2 .lem; font-size: 100%; 
font-family:tahoma; margi n- right: 15 px; } 

©media print { 

.bdy { display: block; overflow: visible; } 

button { display: none; } 

.head { color : #000000; background :#FFFFFF; 

border: lpx solid #000000; } 

} 



<div id="explainText_settingPathi_abel">Setting Path:</div> 
<di v i d="expl ai nText.expl ai nTextLabel ">Expl anati on</di v> 
<div id="explainText_printButton"> _ 
<button name=" Print" onClick="window.print() 
accesskey="P"xu>P</u>rint</button> 



</div> 



<di v i d="expl ai nText_cl oseButton"> 
<button name="Close" onClick="window. close ()" 
accesskey="C"xu>C</u>lose</button> 

</div> 

<div id= n explainText__noExplainTextAvailable">No explanation is available for 
this setting.</div> 

<div id="explainText_supportedLabel">Supported On:</div> 
<di v i d= H expl ai nText_noSupportedTextAvai 1 abl e M >Not avai 1 abl e</di v> 
</divxtable class="title f ' cenpaddinq="0" cellspacing= ,, 0 M > 
<trxtd colspan= M 2 M class^'Ysopheader >Group Policy Results</tdx/tr> 
<trxtd colspan= M 2" class="rsopname">GPMCDEMO\anthonyc on GPMCDEMO\WS03EE</tdx/tr> 
<trxtd id= M dtstamp">Data collected on: 6/27/2003 4:43:21 PM</tdxtdxdiv 
id= M objshowhide M tabindex="0"x/divx/tdx/tr> 
</table> 

<div class= ,, rsopsummary n > 

<div class="heO_expanded"xspan class= u sectionTitle" tabindex="0 M >summary</spanxa 
class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="hel_expanded"xspan class="sectionTitle n 
tabindex="0 ,, >Computer Configuration Summary</spanxa class="expando" 
href= M # H x/ax/div> 

<div class="container"xdiv class="he2"xspan class= n sectionTitle" 
tabindex="0">General</spanxa class="expando" href="#"x/ax/div> 

<div class= M container"xdiv class="he4i"xtable class="info" cell padding="0" 
cellspacing="0' f > 

<trxtd>Computer name</tdxtd>GPMCDEMO\ws03EE</tdx/tr> 
<t rxtd>Domai n</tdxtd>GPMCDemo . com</tdx/t r> 
<trxtd>Site</tdxtd>Default-First-Site-Name</tdx/tr> 

<trxtd>l_ast time Group Policy was processed</tdxtd>6/27/2003 4:37:31 PM</tdx/tr> 

</table> 

</divx/div> 

<div class="he2"xspan class="sectionTitle" tabindex="0">Group Policy 
Objects</spanxa class= n expando M href= ,, # ,, x/ax/div> 

<div class="container"xdiv class="he3"xspan class="sectionTitle" 
tabindex="0 M >Applied GPOs</spanxa cl ass="expando" href="#"x/ax/div> 
<div class="container M xdiv class="he4i"xtable class="info3" cell padding="0" 
cellspacing="0"> 

<trxth scope= n col M >Name</thxth scope="col ">Link Location</thxth 
scope= n col ">Revision</thx/tr> 

<trxtd>Local Group Policy</tdxtd>i_ocal</tdxtd>AD (1), Sysvol (l)</tdx/tr> 
<trxtd>WW EFS Recovery Policy</tdxtd>GPMCDemo.com</tdxtd>AD (1), sysvol 
(l)</tdx/tr> 

<trxtd>Default Domain Policy</tdxtd>GPMCDemo.com</tdxtd>AD (3), Sysvol 
(3)</tdx/tr> 

<trxtd>Default Domain Controllers Pol icy</tdxtd>GPMCDemo. com/Domain 
Control! ers</tdxtd>AD (4), Sysvol (4)</tdx/tr> 

<trxtd>WW ITG Policy</tdxtd>GPMCDemo.com</tdxtd>AD (1), Sysvol (l)</tdx/tr> 
</table> 

</divx/divxdiv cl ass="he3"xspan class= ,, sectionTitle" tabindex="0 ,, >Denied 
GPOs</spanxa class="expando" href="# ,, x/ax/div> 

<div class= ,, container ,, xdiv class="he4i "xtable class="info3" cenpadding= n 0" 
cellspacing="0"> 

<trxth scope= n col">Name</thxth scope="col ">Link Location</thxth 
scope= M col ">Reason Denied</thx/tr> 
<trxtd colspan="3">None</tdx/trx/table> 
</di vx/di vx/di v> 

<div class= u he2"xspan class= ,, sectionTitle" tabindex="0">Security Group Membership 
when Group Policy was appl ied</spanxa class="expando" href="#"x/ax/div> 

<div class= ,t container"xdiv 
class="he4i M >BUILTIN\Administrators<br/>Everyone<br/>BUlLTlN\Pre-windows 2000 
Compatible Access<br/>BUlLTlN\Users<br/>BUlLTlN\windows Authorization Access 
Group<br/>NT AUTHORlTY\NETWORK<br/>NT AUTHORlTY\Authenti cated Users<br/>NT 
AU7H0RITY\This Organi zati on<br/>GPMCDEMO\WS03EE$<br/>GPMCDEMO\Domai n 
Controllers<br/>NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS</di vx/di V> 



<div class="he2"xspan class^'section-Title" tabindex="0 M >WMI Filters</spanxa 

class="expando" href="#"x/ax/div> , 

<div class="container"xdiv class="he4i , 'xtable class="info3 
cellpadding="0" censpacing="0"> , , , „ _„ „ , 

<trxth scope= M coT'>Name</thxth scope="col">Value</thxth scope="coV'>Reference 

GPO(s)</thx/tr> 

<trxtd col span=" 3">None</tdx/t rx/tabl e> 

<div V class="he2"xspan class="sectionTitle" tabindex="0">Component status</spanxa 
class="expando" href="#"x/ax/diy> ,.•*:>.. 

<div class="container"xdiv class="he4i"xtable class= mfo3 
cellpadding="0" cellspacing="0"> , 
<trxth scope="col">component Name</thxth scope=' col >status</thxth 
scope="coT'>Last Process Time</thx/tr> 

<tr><td>Group Policy Inf rastructure</tdxtd>Success</tdxtd>6/27/2003 4:37:32 

<t?xtKEFS > recovery</tdxtd>Success (no data)</tdxtd>4/9/2003 9:42:38 AM</tdx/tr> 
<trxtd>Registry</tdxtd>Success</tdxtd>4/10/2003 2 :47:05 PM</tdx/tr> 
<trxtd>Security</tdxtd>Success</tdxtd>4/10/2003 2 : 38: 10 PM</tdx/tr> 

</tabl e> 

</divx/div> 

</div> 

<div class="hellexpanded"xspan class="sectionTitle" tabindex="0">user configuration 
sumraary</spanxa cl ass= H expando" href="#"x/ax/div> 
<div ciass="container"xdiv class="he2"xspan class= sectionTitle 
tabindex="0">General</spanxa cl ass="expando" href= # x/ax/div> 

<div class="container''xdiv class="he4i"xtable class="i nfo" cellpadding= 0 

cellspacing="0"> , , . 

<trxtd>User name</tdxtd>GPMCDEMO\anthonyc</tdx/tr> 
<trxtd>Domain</tdxtd>GPMCDemo.com</tdx/tr> 

<trxtd>Last time Group Policy was processed</tdxtd>6/27/2003 4:40:17 PM</tdx/tr> 
</table> 

</divx/div> . , „ , . , „„,, „ n • 

<div class="he2"xspan class="sectionTitle" tabmdex="0 >Group Policy 
Objects</spanxa class="expando" href="#"></a></div> 

<div class="container"xdiv class="he3"xspan class= sectionTitle 
tabindex="0">Applied GPOs</spanxa class="expando" href="#"></a></div> 
<div class="container"xdiv class="he4i"xtable class="info3" cellpadding= 0 

cellspacing="0"> ..,„., ■ <-u 

<trxth scope="col">Name</thxth scope="col ">Li nk Location</thxth 
scope="col">Revision</thx/tr> 

<trxtd>ww EFS Recovery policy</tdxtd>GPMCDemo.com</tdxtd>AD (1), sysvol 

<trxtd>Default Domain Policy</tdxtd>GPMCDemo.com</tdxtd>AD (1), sysvol 

<trxtd>Common Managed settings</tdxtd>GPMCDemo.com/Corp Headquarters/User 
Accounts</tdxtd>AD (1), Sysvol (l)</tdx/tr> 

<trxtd>LightlyManaged User settings</tdxtd>GPMCDemo.com/Corp Headquarters/User 

Accounts/Lightly Managed</tdxtd>AD (1), Sysvol (l)</td></tr> 

<trxtd>WW ITG Policy</tdxtd>GPMCDemo.com</tdxtd>AD (1), Sysvol (l)</tdx/tr> 

</d?vx/divxdiv class="he3"xspan class="sectionTitle" tabindex=' , 0">Denied 
GPOs</spanxa class="expando" href="#"x/ax/div> , 
<div class="container"xdiv class="he4i"xtable class= info3 cellpadding= 0 

cellspacing="0"> • ,^ *u 

<trxth scope="col">Name</thxth scope="col ">Li nk Location</thxth 
scope="col">Reason Denied</thx/tr> 

<trxtd>Local Group Policy</tdxtd>Local</tdxtd>Empty</tdx/tr> 
</tabl e> 

</divx/divx/div> , „ . ,. 

<div class="he2"xspan class="sectionTitle" tabindex="0' >secunty Group Membership 
when Group Policy was applied</spanxa class="expando" href="#"x/ax/div> 



<div class="container"xdiv class="he4i">GPMCDEM0\Domain 
users<br/>Everyone<br/>BUILTIN\Remote Desktop 

users<br/>BUILTIN\Users<br/>BUILTlN\Pre-Windows 2000 Compatible Access<br/>NT 
SRlK\?NTE^cfl5i<br/>NT AUTHORfTY\Authenticated users<br/>NT AUTHORITY\ThlS 

<d?rclass="he2^<?^ tabindex="0">WMl Filters</spanxa 

«^ m *^\^^£&«fc c1ass=»he4i"xtab1eclass="info3" 

^?rx? d h d sc 0 ;e=»co?">Same</?hx;h scope="col ">val ue</thxth scope="col »>Ref erence 
GPO(s)</thx/tr> 

<trxtd co1span="3">None</tdx/trx/table> 

<dii V c1ass="he2"xspan class="sectionTitle" tabindex="0">Component status</spanxa 
class="expando" href="# ,, x/ax/di v> 

<div class="container"xdiv class^'P^Vxtable class= mfo3 
cenpadding="0" cellspacing="0"> „ ,,, . . . 

<trxth scope="coT'>Component Name</thxth scope= col >status</thxth 
scope="col">Last Process Time</thx/tr> 

<trxtd>Group Policy inf rastructure</tdxtd>Success</tdxtd>6/27/2003 4.40.22 

<?^x?d>Folder RedT recti on</td><td>Success</tdxtd>6/27/2003 4:40 :21 «j/td></tr> 
<tr><td>lnternet Explorer Branding</tdxtd>Success</tdxtd>6/27/2003 4.40.22 

<?rxtdJRegistry</tdxtd>Success</tdxtd>6/27/2003 4:40:21 PM</tdx/tr> 

</table> 

</divx/div> 

</divx/div> 

<div class="finer"x/div> 
</div> 

<div clSS :: hlo!lxprndld :: ><span class="sectionTitle" tabindex="0">computer 
Configuration</spanxa class="expando" href ="#"></ ax/div> h 
<div class="container"xdiv class="hel_expanded"xspan class= „sectionTitle 
tabindex="0">windows setti ngs</spanxa class= expando href= # ></ax/div> 
<div class="container"xdiv class="he2"xspan class= sectionTitle 
tabindex="0">Security setti ngs</spanxa class= expando hret= # x/a></diy> 
tamnaeX <d - v class^container-xdiv class="he3"xspan class="sectionTitle' 
tabindex="0">Account policies/Password Policy</spanxa class= expando 

Ijaiv^cla^-p^ class="he4i"xtable class="info3" cellpadding="0" 

"rxth C s2ope="col ">Pol i cy</thxth scope="col ">Setti ng</thxth scope="col ">wi nni ng 

<t?xtd>Enfirce password history</tdxtd>24 passwords remembered</tdxtd>Default 

SrxJd^lximum^asswo^d age</tdxtd>42 days</tdxtd>Default Domain P°]^y</td></tr> 
Sr>Sd>Mi^imum password age</tdxtd>l days</td><td>Default Domain P°^y</tdx/tr> 
<trxtd>Minimum password length</tdxtd>7 characters</tdxtd>Default Domain 

<?rxtd>Password must meet complexity requirements</tdxtd>Enabled</tdxtd>Default 
S'SdSo^rpass^ds using reversible encryption</tdxtd>Disabled</tdxtd>Default 
Domain Policy</tdx/tr> 

Vdiv"x/divxdiv class="he3"xspan class="sectionTitle" tabi^ 
Policies/Account Lockout Policy</spanxa class="expando . h/ef= # x/a></diy> 
<div class="container"xdiv class= 5; he4i"xtable class="info3 cellpadding= 0 

<t rxth C scope="col ">Pol i cy</thxth scope="col ">Setti ng</thxth scope="col ">Wi nni ng 

<t?xtd?Ac^unt lockout threshold</tdxtd>0 invalid logon attempts </tdxtd>Default 
Domain Policy</tdx/tr> 



</divx/divxdiv class= ,, he3"xspan class="sectionTitl|" tabindex= 0 >Account 

Policies/Kerberos Policy</spanxa class="expando href= # x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info3" cen P adding= 0 

"Jxtn^sc'o'pe^col ">Pol i cy</thxth scope="col ">setti ng</thxth scope="col ">Wi nni ng 

<trxtd^Enforce user logon restrictions</tdxtd>Enabled</tdxtd>Default Domain 

SJxtd^MaximS^lifetirne for service ticket </tdxtd>600 minutes</tdxtd>Default 

Srxtd^lximu^lifetime for user ticket</tdxtd>10 hours</tdxtd>Default Domain 

^trxtd^Maximu^lifetime for user ticket renewal </tdxtd>7 days</tdxtd>Default 

Domain Policy</tdx/tr> . /*^^»^c 

<trxtd>Maximum tolerance for computer clock synchromzation</tdxtd>5 
minutes</tdxtd>Default Domain Policy</tdx/tr> 
</tabl e> 




"JJSh C scope2"co1 ">Pol i cy</thxth scope="col ">Setti ng</thxth scope="col ">Wi nni ng 



<trxtd>Audit account^logon events</tdxtd>Success</tdxtd>Default Domain 

<trxtd>Audit°lccount d ^ Domain controllers 

<trxtd>Audi ^directory service access</tdxtd>Success</tdxtd>Default Domain 
Controllers Policy</tdx/tr> , .... 

<trxtd>Audit logon events</tdxtd>Success</tdxtd>Default Domain controllers 

<trxtd>Audi ^object access</tdxtd>No auditing</tdxtd>Default Domain Controllers 

<trxtd>Audi ^policy change</tdxtd>Success</tdxtd>Default Domain Controllers 

<trxtd>Audi ^privilege use</tdxtd>No auditing</tdxtd>Default Domain controllers 

Srxtd^Audi^process tracking</tdxtd>No auditing</tdxtd>Default Domain 
controllers Pol icy</tdx/tr> . in 

<trxtd>Audit system events</tdxtd>success</tdxtd>Default Domain Controllers 

Policy</tdx/tr> 

</d?v"x/divxdiv class="he3"xspan class= ,, sectionTitle'\ tabindex="0">Local 
Policies/user Rights Assignment</spanxa class= expando href= # ></a></div> 
<div class="container"xdiv class="he4i* , xtable class="info3 cellpadding= 0 

"rxtn^scope^'col ">Pol i cy</thxth scope="col ">Setti ng</thxth scope="col ">Wi nni ng 

<trxtd>Access this computer from the network</tdxtd>Pre-windows 2000 compatible 
Access, ENTERPRISE DOMAIN CONTROLLERS, Authenticated Users, Administrators, 
Everyone</tdxtd>Default Domain Controllers Policy</tdx/tr> 
<trxtd>Act as part of the operating system</tdxtdx/tdxtd>Default Domain 
Controllers Policy</tdx/tr> . _ _ 

<trxtd>Add workstations to domain</tdxtd>Authenticated users</tdxtd>Default 
Domain controllers Policy</td></tr> . . ccDv-rrp 

<trxtd>Adiust memory quotas for a process</tdxtd>Admimstrators, NETWORK SERVICE, 
LOCAL SERVICE</tdxtd>Default Domain Controllers Policy</tdx/tr> 
<trxtd>Allow log on locally</tdxtd>Account operators, Administrator *L Backup 
operators, GPMCDEMO\Domai n Users, Print Operators, Server Operators, TESTl\Domain 
Use.rs</tdxtd>Default Domain Controllers Policy</tdx/tr> , 
<trxtd>Allow log on through Terminal services</tdxtd>GPMCDEMO\Domain users, 
TESTl\Domain users</tdxtd>Default Domain Controllers Policy</tdx/tr> 



<trxtd>Back up files and di rectories</tdxtd>Server Operators, Backup Operators, 
Administrators</tdxtd>Defaul t Domain Controllers Policy</tdx/tr> 
<trxtd>Bypass traverse checking</tdxtd>Pre-Windows 2000 Compatible Access, 
Authenticated users, Administrators, Everyone</tdxtd>Defaul t Domain Controllers 
Policy</tdx/tr> 

<trxtd>Change the system time</tdxtd>Server Operators, 
Administrators</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 
<trxtd>Create a pagef ile</tdxtd>Administrators</tdxtd>Default Domain Controllers 
Pol i cy</t dx/t r> 

<trxtd>Create a token object</tdxtdx/tdxtd>Default Domain Controllers 
Pol i cy</tdx/t r> 

<trxtd>Create permanent shared objects</tdxtdx/tdxtd>Default Domain Controllers 
Pol icy</tdx/tr> 

<trxtd>Debug programs</tdxtd>Administrators</tdxtd>Defaul t Domain Controllers 
Pol icy</t dx/t r> 

<trxtd>Deny access to this computer from the 

network</tdxtd>GPMCDEMO\SUPPORT_388945a0</tdxtd>Default Domain Controllers 
Pol icy</t dx/t r> 

<trxtd>Deny log on as a batch job</tdxtdx/tdxtd>Defaul t Domain Controllers 
Pol i cy</t dx/t r> 

<trxtd>Deny log on as a service</tdxtdx/tdxtd>Default Domain Controllers 
Policy</tdx/tr> 

<trxtd>Deny log on local ly</tdxtd>GPMCDEMO\SUPPORT_388945a0</tdxtd>Default Domain 
Controllers Pol icy</tdx/tr> 

<trxtd>Enable computer and user accounts to be trusted for 

del egati on</tdxtd>Admi ni st rators</tdxtd>Def aul t Domai n Control 1 ers 

Pol i cy</tdx/t r> 

<trxtd>Force shutdown from a remote system</tdxtd>Server operators, 
Administrators</tdxtd>Defaul t Domain Controllers Policy</tdx/tr> 
<trxtd>Generate security audits</tdxtd>NETWORK SERVICE, LOCAL 
SERVlCE</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 

<trxtd>lncrease scheduling priority</tdxtd>Administrators</tdxtd>Default Domain 
Controllers Policy</tdx/tr> 

<trxtd>Load and unload device dri vers</tdxtd>Print Operators, 
Administrators</tdxtd>Defaul t Domain Controllers Pol icy</tdx/tr> 
<trxtd>Lock pages in memory</tdxtdx/tdxtd>Defaul t Domain Controllers 
Pol i cy</tdx/t r> 

<trxtd>Log on as a batch job</tdxtd>GPMCDEMO\SUPPORT_388945a0 , LOCAL 
SERVICE</tdxtd>De fault Domain Controllers Pol icy</tdx/tr> 
<trxtd>Log on as a service</tdxtd>NETWORK SERVlCE</tdxtd>Default Domain 
Controllers Policy</tdx/tr> 

<trxtd>Manage auditing and security log</tdxtd>Administrators</tdxtd>Default 
Domain Controllers Pol icy</t dx/t r> 

<trxtd>Modify firmware environment values</tdxtd>Administrators</tdxtd>Default 
Domain Controllers Policy</tdx/tr> 

<trxtd>Profile single process</tdxtd>Administrators</tdxtd>Defaul t Domain 
Controllers Pol icy</t dx/t r> 

<trxtd>Profile system performance</tdxtd>Administrators</tdxtd>Default Domain 
Controllers Policy</tdx/tr> 

<trxtd>Remove computer from docking station</tdxtd>Administrators</tdxtd>Default 
Domain Controllers Policy</tdx/tr> 

<trxtd>Replace a process level token</tdxtd>NETWORK SERVICE, LOCAL 
SERVlCE</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 

<trxtd>Restore files and di rectories</tdxtd>Server Operators, Backup Operators, 
Administrators</tdxtd>Default Domain Controllers Pol icy</t dx/t r> 
<trxtd>shut down the system</tdxtd>Print Operators, Server operators, Backup 
Operators, Administrators</tdxtd>Default Domain Controllers Pol icy </t dx/t r> 
<trxtd>Synchronize directory service data</tdxtdx/tdxtd>Default Domain 
Controllers Pol icy</t dx/t r> 
<trxtd>Take ownership of files or other 

objects</tdxtd>Administrators</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 
</table> 

</divx/divxdiv class="he3 !, xspan class= M sectionTitle" tabindex- !, 0 M >Local 
Policies/Security Options</spanxa class="expando" href="#"x/ax/div> 



<div class="container"xdiv class="he4h"xspan class= M sectionTitle" 
tabindex= ,, O n >Domain Control ler</spanxa class="expando" href="#"x/ax/d-iv> 
<div class="container"xdiv class= M he4i"xtable class= n info3" cell paddi ng="0" 
cellspacing= ,, 0 H > .. ,„ . . 

<trxth scope= ,, coV , >Policy</thxth scope= ,, coV>Setting</thxth scope= col >Winmng 
GP0</thx/tr> 

<trxtd>Domain controller: LDAP server signing 

requirements</tdxtd>None</tdxtd>Default Domain Controllers Policy</tdx/tr> 
</table> 

</divx/divxdiv class= n he4h"xspan class="sectionTitle" tabindex= n O M >Domain 
Member</spanxa class="expando" href= ,, #"x/ax/div> 

<div class="container"xdiv class= n he4i n xtable class="info3" cell paddi ng="0" 
cellspacing="0"> .. ,„ . . 

<trxth scope= ,, col ,, >Policy</thxth scope="col">Setting</thxth scope= col >wmmng 
GP0</thx/tr> 

<trxtd>Domain member: Digitally encrypt or sign secure channel data 
(always)</tdxtd>Enabled</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 
</table> 

</divx/divxdiv class="he4h"xspan class="sectionTi tie" tabindex="0">M-»crosoft 

Network Server</spanxa class= ,, expando n href="# ,, x/ax/di v> 

<div class= ,, container ,, xdiv class= ,, he4i ,, xtable cl ass="i nfo3" cellpadding= n O ,, 

cellspacing= n O M > 

<trxth scope="col ,, >Policy</thxth scope="col ">Setting</thxth scope= n col ,, >Wmmng 
GPO</thx/tr> 

<trxtd>Microsoft network server: Digitally sign communications 
(always)</tdxtd>Enabled</tdxtd>Default Domain Controllers Policy</tdx/tr> 
<trxtd>Microsoft network server: Digitally sign communications (if client 
agrees)</tdxtd>Enabled</tdxtd>Default Domain Controllers Pol icy</tdx/tr> 
</tabl e> 

</divx/divxdiv class="he4h"xspan class= ,, sectionTitle ,, tabindex="0">Network 
Security</spanxa class= ,? expando h href= n #"x/ax/div> 

<div class= ,, container n xdiv class= ,, he4i ,, xtable class="info3" cell padding= M 0 M 
cellspacing= n O"> nti . . 

<trxth scope="col">Policy</thxth scope="col n >Setting</thxth scope="coT >Wi nm ng 
GPO</thx/tr> 

<trxtd>Network security: Force logoff when logon hours 

expi re</tdxtd>Di sabl ed</tdxtd>Def aul t Domai n Pol i cy</tdx/t r> 

<trxtd>Network security: LAN Manager authentication level </tdxtd>Send NTLM 

response only</tdxtd>Default Domain Controllers Policy</tdx/tr> 

</table> 

</divx/divx/divxdiv class="he3 n xspan class= ,, sectionTitle u tabindex= M 0 >Public 
Key Policies/Autoenrollment Settings</spanxa class= M expando M href="# ,, x/ax/div> 
<div class= ,, container ,, xdiv class= rf he4i h xtable class= ,, info3" cellpadding= H 0 M 
cellspacing^^O^ , ff . . 

<trxth scope= ,, col">Policy</thxth scope= n col ">Setting</thxth scope=' col >wmmng 
GPO</thx/tr> 

<trxtd>Enrol 1 certi f i cates automati cal 1 y</tdxtd>Enabl ed</tdxtd> [Def aul t 
setti ng] </tdx/t r> 

<trxtd colspan="3 ,, xtable class="subtable3 M cell padding="O n cell spaci ng="0"> 
<trxtd scope= n row u >Renew expired certificates, update pending certificates, and 
remove revoked certificates</tdxtd>Disabled</tdx/tr> 
<trxtd scope= u row n >Update certificates that use certificate 
tempi ates</tdxtd>Di sabl ed</tdx/tr> 
</tabl ex/tdx/trx/tabl e> 

</divx/divxdiv class= ,, he3 ,, xspan class="sectionTitle M tabindex= M O n >Public Key 

Policies/Encrypting File system</spanxa class= M expando" href= ,, # ,, x/ax/div> 

<div class= H container H xdiv class="he4h"xspan class= ,, sectionTitle" 

tabindex= ,, 0 M >Properties</spanxa class="expando" href="#"x/ax/div> 

<div class= l, container"xdiv class="he4i "xtable class= H info n cell paddi ng="0 M 

cellspacing= ,, 0"> 

<trxtd scope="row ,, xb>winning GPO</bx/tdxtd> [Default setti ng]</tdx/tr> 
</table> 

</divxdiv class^'f^i 1 'xtable class= ,, subtable" cell paddi ng="0" cellspacing= ,, 0 ,, > 
<trxth scope="col ">Pol icy</thxth scope= M col M >Setting</thx/tr> 



<trxtd>Allow users to encrypt files using Encrypting File system 
(EFS)</tdxtd>Enabled</tdx/tr> . „ 

</tablex/divx/divxdiv class="he4h"xspan class= sectionTitle 
tabindex="0">Certificates</spanxa class="expando" href^"#"></a></div> , 
^Hiv class-"container"xdiv class="he4i"xtable class="info3 cellpadding= 0 
ce lspacing="0"xi?xtrscope="?o1 ">lssued To</thxth scope="co1 ">issued By</thxth 
scope="cor>Expi ration Date</thxth scope="col">intended Purposes</thxth 

S??52S*riS SSlSoS ni ,t rator</tdxtd>4/8/2006 9:41:54 A M </tdxtd>Fi 1 e 
Recovery</tdxtd>Default Domain Policy</tdx/tr> 

<b?/>Fo? additional information about individual settings, launch Group Policy 

Obiect Editor. </divx/divx/divxdiv class="he3"xspan class="sectionTitle 

tabindex="0">Public Key Policies/Trusted Root certification Authonties</spanxa 

class="expando" href="#"x/ax/div> T .* n ... 

<div class="container"xdiv class="he4h"xspan class= sectionTitle 

tabindex="0">Properties</spanxa class=' expando href= # ></ax/div> 

<div class="container"xdiv class="he4i"xtable class="info" cellpadding= 0 

<tJ-xtd C icope= 'Vow"xb>Wi nni ng GPO</bx/tdxtd> [Def aul t setti ng] </tdx/t r> 

</divxdiv class="he4i"xtable class="subtable" cellpadding="0" cellspacing="0"> 
<trxth scope="col">Policy</thxth scope="col">setting</th></tr> 
<trxtd>Allow users to select new root certification authorities CCAs) to 

Sx&clienf c^mput^s'can'Trust the following certificate stores</tdxtd>Third- 
Party Root certification Authorities and Enterprise Root certification 

^t^xid^o'peJfom^ertificate-based authentication of users and computers CAs must 
meet the following criteria</tdxtd>Registered in Active Directory only</tdx/tr> 

</table> , „/..,-, ., / . • 

</divx/divx/divx/divx/divxdiv class="filler ></div> . 

<div class="heLexpanded"xspan class="sectionTitle" tabindex="0">Admimstrative 

Tempi ates</spanxa cl ass="expando" href ="#"></a></di y> 

<div class="container"xdiv class="he3"xspan class= sectionTitle 

tabindex="0">Extra Registry Settings</spanxa class= expando hret= # x/ax/div> 

<dil class="containerS<div class=*he4i Soisplay names for some settings cannot be 

found. You might be able to resolve this issue by updating the -ADM files used by 

Group Pol icy management. <br/xbr/xtable class= info3 cellpadding= 0 

<t rxt h C sc§pe='' col ">setti ng</thxth scope="col ">State</thxth scope="col ">Wi nni ng 

<trxtd>SOFTWARE\Microsoft\Windows\Currentversion\Pol icies\Explorer\NoActiveDesktop< 

/tdxtd>l</tdxtd>Local Group Policy</tdx/tr> 

</table> 

</divx/divx/divx/div> 

^div cltls= :: nulexpanded"xspan class="sectionTitle" tabindex="0">user 
Configuration</spanxa class="expando" href="#' ></ax/div> „ 
<div cSass="container"xdiv class="hel_expanded"xspan classy sectionTitle 
tabindex="0">windows settings</spanxa class= expando href= # ></ax/div> 
<div class="container"xdiv class="he2"xspan class= sectionTitle 
tabindex="0">security setti ngs</spanxa class= expando nret= # x/a></diy> 

<div class="container"xdiv class=''he3"xspan class="sectionTitle 
tabindex="0">Public Key Pol icies/Autoenrollment Setti ngs</spanxa class= expando 

5di^class="pn?ainer"><div class="he4i"xtable class="info3" cellpadding="0" 

<t rxth C scope="Jol ">Pol i cy</thxth scope="col ">Setti ng</thxth scope="col ">wi nni ng 

<trxtd>Enrol 1 certi f i cates automat i cal 1 y</tdxtd>Enabl ed</tdxtd> [Def aul t 

""^a^olspan^r^^able class="subtable3" cellpadding="0" cellspacing="0"> 



<trxtd scope="row">Renew expired certificates, update pending certificates, and 
remove revoked certif icates</tdxtd>Disabled</tdx/tr> 
<trxtd scope="row">Update certificates that use certificate 
tempi ates</tdxtd>Di sabl ed</tdx/t r> 
</tabl ex/tdx/t rx/t abl e> 

</divx/divx/divxdiv class="he2"xspan class="sectionTitle" tabindex="0">lnternet 
Explorer Maintenance</spanxa class="expando n href="#"x/ax/div> 

<div class= ,, container"xdiv class="he3"xspan class="sectionTitle" 
tabindex="0">URLs/lmportant URLs</spanxa class="expando" href= ,, #"x/ax/div> 
<div class="container"xdiv class= ,, he4i "xtable class="info3" cellpadding="0" 
cellspacing="0"> 
<trxtd coTspan="3"> 

<table class="subtable" cellpadding="0" cellspacing= M 0 M > 

<trxth scope="col">Name</thxth scope="col ">URL</thxth scope="col ">winning 
GPO</thx/tr> 

<trxtd scope="row">Home page 
URL</tdxtd>f i 1 e : ///c : /Demo/Reports/spec . htm</tdxtd>ww EFS Recovery 
Policy</tdx/tr> 

<trxtd scope="row">Search bar URL</tdxtd>Not configured</tdxtd>N/A</tdx/tr> 

<trxtd scope="row">Online support page URL</tdxtd>Not 
configured</tdxtd>N/A</tdx/tr> 

</tabl e> 
</tdx/tr> 

</tablex/divx/divx/divx/divxdiv class="filler"x/div> 

<div c1ass= ,, hel_expanded' , xspan class="sectionTitle" tabindex="0">Administrative 

Tempi ates</spanxa class= ,, expando n href="#"x/ax/div> 

<div class="container"xdiv class="he3"xspan class= ,, sectionTitle" 

tabindex= ,, 0 ,, >Control Panel </spanxa cl ass="expando" href="#"x/ax/div> 

<div class= ,, container"xdiv c I ass="he4i "xtable class="info3 n cellpadding="0" 

cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col ">Winning 
GPO</thx/tr> 

<trxtdxa class="explainlink" href="iavascript : void() ; " 

onclick= M javascript:showExplainText(this) ; return false;" gpmc_settingName="show 
only specified Control Panel applets" gpmc_settingPath="User 

Conf i guration/Admi ni strati ve Tempi ates/Control Panel " gpmc_setti ngDescri ption="Hi des 
all Control Panel items and folders except those specified in this 
setting. <br/&gt ;<br/&gt ;This setting removes all Control Panel items (such as 
Network) and folders (such as Fonts) from the Control Panel window and the Start 
menu. It removes Control Panel items you have added to your system, as well the 
Control Panel items included in windows 2000 and Windows XP Professional. The only 
items displayed in Control Panel are those you specify in this 

setting.<br/><br/>To display a Control Panel item, type the file name of 
the item, such as Ncpa.cpl (for Network). To display a folder, type the folder name, 
such as Fonts. <br/> <br/> This setting affects the Start menu and control 
Panel window only, it does not prevent users from running any Control Panel 
i terns. <br/><br/> Also, see the &quot; Remove Display in Control 
Panel&quot ; setting in User Conf iquration\Administ rati ve Tempi ates\control 
Panel\Display.<br/><br/>lt both the &quot ;Hide specified Control 
Panel applets&ampjquot ; setting and the &quot ;Show only specified Control Panel 
applets&quot ; setting are enabled, the &quot ;Show only specified Control 
Panel applets&quot ; setting is ignored. <br/&gt ;&lt ;br/&gt ;Tip: To find the 
file name of a Control Panel item, search for files with the .cpl file name 
extension in the %Systemroot%\System32 directory." gpmc_supported="At least 
Microsoft Windows 2000">Show only specified Control Panel 
appl ets</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/t r> 
<trxtd colspan="3"xtable class="subtabl enframe" cellpadding= 0" cellspacing="0"> 
<trxtd col span="2 "xtable class="subtable" cellpadding="0" cellspacing="0"> 
<trxth scope="col">List of allowed Control Panel applets</thx/tr> 
<trxtd>desk . cpl </tdx/t r> 
<trxtd>appwiz . cpl </tdx/tr> 
<trxtd>access . cpl </tdx/tr> 
<t rxtd>mai n . cpl </tdx/t r> 



</tablex/tdx/trxtrxtd colspan="2">To create a list of allowed Control Panel 
applets, click Show,</tdx/trxtrxtd colspan="2">then Add, and enter the Control 
Panel file name (ends with .cpl)</td></tr><trxtd colspan="2">or the name displayed 
under that item in the Control Panel . </tdx/trxtrxtd colspan="2">(e.q. desk col 
powercfg.cpl , Printers)</tdx/trx/tablex/tdx/trx/table> 
</diyx/divxdiv class= ,, he3 ,, xspan class="sectionTitle" tabindex="0">control 
Panel/Add or Remove Programs</spanxa class= ,, expando M href="#"x/ax/div> 
<diy class="container"xdiv class= ,, he4i ,, xtable class="info3" cellpaddinq= M O n 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col ">winninq 
GPO</thx/tr> y 
<trxtdxa class="explainlink" href="iavascript :void() ;" 

onclick= M javascript:showExplainText(this); return false;" gpmc_settingName="Hide 
Add/Remove Windows Components page" gpmc_settingPath= M liser 
Configuration/Administrative Templates/Control Panel/Add or Remove Programs" 
gpmc_settingDescription=="Removes the Add/Remove Windows Components button from the 
Add or Remove Programs bar. As a result, users cannot view or change the associated 
page. <br/><br/> The Add/Remove Windows Components button lets users 
configure installed services and use the Windows Component Wizard to add, remove 
and configure components of windows from the installation 

files.<br/><br/>lf you disable this setting or do not configure it, the 
Add/Remove Windows components button is available to all 

use rs.<br/><br/> This setting does not prevent users from using other 
tools and methods to configure services or add or remove program components. 
However, this setting blocks user access to the windows Component Wizard." 
gpmc_supported="At least Microsoft windows 2000">Hide Add/Remove Windows Components 
page</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settings</tdx/tr> 
<trxtdxa class="explainlink" href="javascri pt :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Hide the 
&quot;Add a program from CD-ROM or floppy disk&quot ; option" 
gpmc_settingPath="user Configuration/Administrative Templates/control Panel/Add or 
Remove Programs" gpmc_settingDescription="Removes the &quot ;Add a program from 
CD-ROM or floppy disk&amp ;quot ; section from the Add New Programs page. This 
prevents users from using Add or Remove Programs to install programs from removable 
media.<br/><br/>lf you disable this setting or do not configure it, the 
&quot;Add a program from CD-ROM or floppy disk&amp ;quot ; option is available to 
all users. <br/&gt ;<br/>This setting does not prevent users from using other 
tools and methods to add or remove program components. &lt ;br/><br/> Note: if 
the &quot; Hide Add New Programs page&quot ; setting is enabled, this setting 
is ignored. Also, if the &quot; Prevent removable media source for any 
install &quot; setting (located in User Confiquration\Administrative 
Tempi ates\windows Components\Windows installer) is enabled, users cannot add 
programs from removable media, regardless of this setting." gpmc_supported="At least 
Microsoft Windows 2000">Hide the "Add a program from CD-ROM or floppy 
disk" option</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settinqs</tdx/tr> 
<trxtdxa class="explainlink" href=" javascript : voidQ ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Hide the 
&quot;Add programs from Microsoft&quot ; option" gpmc_settingPath="user 
Configuration/Administrative Templates/Control Panel/Add or Remove Programs" 
gpmc_settingDescription=="Removes the &quot ;Add programs from Microsoft&ampjquot ; 
section from the Add New Programs page. This setting prevents users from using Add 
or Remove Programs to connect to windows Update. &lt ;br/&gt ;&lt ;br/&gt ;lf you disable 
this setting or do not configure it, &quot ;Add programs from Microsoft&quot ; 
is available to all users. <br/><br/>This setting does not prevent users 
trom using other tools and methods to connect to Windows 
Update. <br/><br/>Note: if the &quot ;Hide Add New Programs 
page&quot; setting is enabled, this setting is ignored." gpmc_supported="At 
least Microsoft Windows 2000">Hide the "Add programs from Microsoft&quot ; 
option</ax/tdxtd>Enabled</tdxtd>LightlyManaged user Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript : void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Specify 
default category for Add New Programs" gpmc_settingPath="User 
Configuration/Administrative Templates/Control Panel/Add or Remove Programs" 
gpmc_settingDescnption="specifies the category of programs that appears when users 



open the &quot ;Add New Programs&quot ; page.&lt ;br/&gt ;&lt ;br/&gt ;If you 
enable this setting, only the programs in the category you specify are displayed 
when the &quot ;Add New Programs&quot ; page opens, users can use the Category 
box on the &quot ;Add New Programs&quot ; page to display programs in other 
categories.<br/>&lt ;br/>To use this setting, type the name of a category in 
the Category box for this setting. You must enter a category that is already defined 
in Add or Remove Programs. To define a category, use Software 

Install at i on. <br/><br/> If you disable this setting or do not configure 
it, all programs (Category: All) are displayed when the &quot ;Add New 
Programs&quot; page opens. &lt ;br/>&lt ;br/&gt ;You can use this setting to 
direct users to the programs they are most likely to 
need.<br/&gt ;&lt ;br/>Note: This setting is ignored if either the 
&quot; Remove Add or Remove Programs&quot ; setting or the &quot ;Hide Add 
New Programs page&quot ; setting is enabled." gpmc_supported="At least Microsoft 
Windows 2000 n >Specify default category for Add New 

Programs</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User setti ngs</tdx/t r> 
<trxtd colspan="3"xtable class="subtable_f rame* eel 1 paddi ng="0" cellspacing="0 M > 
<trxtd>Category :</tdxtd>Custom Applications</tdx/tr> 
</tabl ex/tdx/trx/tabl e> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Control 
Panel /Display</spanxa class= n expando" href= ,, # ,, x/ax/div> 

<div class="container"xdiv class= ,, he4i ,, xtable class="info3" cell paddi ng="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col">winning 
GPO</thx/tr> 

<trxtdxa class="explainlink" href="iavascript :void() ; " 

one! ick=" javascript :showExplainText(this) ; return false;" gpmc_settingName="Hide 
Settings tab" gpmc_settingPath="User Configuration/Administrative Templates/Control 
Panel/Display" gpmc_settingDescri ption="Removes the Settings tab from Display in 
Control Panel ,&lt ;br/>&lt ;br/>This setting prevents users from using Control 
Panel to add, configure, or change the display settings on the computer." 
gpmc_supported="At least Microsoft windows 2000">Hide Settings 
tab</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged user Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="javascript:void() ;" 

onclick="javascript :showExplainText(tnis) ; return false;" gpmc_settingName="Screen 
Saver" gpmc__settingPath="User Configuration/Administrative Templates/Control 
Panel /Display" gpmc_setti ngDescription="Enables desktop screen 

savers. <br/&gt ;<br/>lf you disable this setting, screen savers do not run. 
Also, this setting disables the Screen Saver section of the screen Saver tab in 
Display in Control Panel. As a result, users cannot change the screen saver 
options. &lt ;br/&gt ;&lt ;br/>lf you do not configure it, this setting has no effect 
on the system. <br/><br/>lf you enable it, a screen saver runs, provided 
the following two conditions hold: First, a valid Screensaver on the client is 
specified through the &quot; Screensaver executable name&quot ; setting or 
through Control Panel on the client computer. Second, the Screensaver timeout is set 
to a nonzero value through the setting or Control Panel .<br/&gt ;<br/&qt ; Also, 
see the &quot ;Hide Screen Saver tab&quot ; setting." gpmc_supported= At least 
Microsoft Windows 2000 Service Pack l">Screen 

Saver</ax/tdxtd>Enabled</tdxtd>Li ghtl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href= javascript :void() ;" 

oncl i ck=" javasc ri pt : showExpl ai nText (thi s) ; return f al se ; " gpmc_setti ngName="screen 
Saver executable name" gpmc_settingPath="User Configuration/Administrative 
Templates/Control Panel /Display" gpmc_settingDescription="Specifies the screen saver 
for the user's desktop. <br/&gt ;&lt ;br/> if you enable this setting, the system 
displays the specified screen saver on the user's desktop. Also, this setting 
disables the drop-down list of screen savers on the Screen Saver tab in Display in 
Control Panel, which prevents users from changing the screen 

saver.&lt ;br/&gt ;<br/>lf you disable this setting or do not configure it, 
users can select any screen saver .<br/&gt ;<br/&gt ;lf you enable this setting, 
type the name of the file that contains the screen saver, including the .scr file 
name extension. If the screen saver file is not in the %Systemroot%\system32 
directory, type the fully qualified path to the file.&lt ;br/&qt;<br/&gt ;lf the 
specified screen saver is not installed on a computer to which this setting applies, 
the setting is ignored. <br/&gt ;&lt ;br/&gt ;Note: This setting can be superseded by 



the &quot; Screen Saver&quot ; setting, if the &quot ; Screen 
Saver&quot ; setting is disabled, this setting is ignored, and screen savers do 
not run. ' gpmc_supported="At least Microsoft windows 2000 Service Pack l M >Screen 
Saver executable name</a></td><td>Enabled</tdxtd>LightlyManaged User 
Settings</tdx/tr> 

<trxtd colspan= M 3 M xtable class="subtable_frame" cellpadding^O" cellspacing= M 0 M > 
<trxtd>Screen Saver executable name</tdxtd>scrnsave.scr</tdx/tr> 
</tabl ex/tdx/trx/tabl e> 

</divx/divxdiv class="he3"xspan class= ,, sectionTitle" 

tabindex="0">Desktop</spanxa c Iass="expando" href= ,, #"x/ax/div> 

<div class="container ,, xdiv class="he4i xtable class= ,, info3" cellpadding="0" 

cellspacing="0"> 

<trxth scope="col">Policy</thxth scope= ,, col ,, >setting</thxth scope="col ">winning 
GPO</thx/tr> 

<trxtdxa class="explainlink" href=="iavascript:void() ;" 

oncl ick="javascript: showExpl ai nText (this) ; return false;" gpmc_settingName="Do not 
add shares of recently opened documents to My Network Places" gpmc_settingPath="user 
Configuration/Administrative Templates/Desktop" gpmc_settingDescription="Remote 
shared folders are not added to My Network Places whenever you open a document in 
the shared folder.<br/><br/>If you disable this setting or do not 
configure it, when you open a document in a remote shared folder, the system adds a 
connection to the shared folder to My Network Places.<br/><br/>lf you 
enable this setting, shared folders are not added to My Network Places automatically 
when you open a document in the shared folder." gpmc_supported="At least Microsoft 
Windows 2000">Do not add shares of recently opened documents to My Network 
Pi aces</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/t r> 
<trxtdxa class="explainlink" href="iavascript : void() ;" 

one! i ck=" javasc ri pt : showExpl ai nText (this) ; return f al se ; " gpmc_setti ngName="Prevent 
adding, dragging, dropping and closing the Taskbar' s toolbars" 
gpmc_settingPath="User Configuration/Administrative Templates/Desktop" 
gpmc_settingDescription=" Prevents users from manipulating desktop 
tool bars. <br/><br/> If you enable this setting, users cannot add or 
remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of 
docked tool bars. <br/><br/> Note: if users have added or removed toolbars, 
this setting prevents them from restoring the default 

configuration.&lt ;br/>&lt ;br/&gt ;Tip: To view the toolbars that can be added to 
the desktop, right-click a docked toolbar (such as the taskbar beside the start 
button), and point to &quot ; Tool bars .&quot ;<br/&gt ;<br/&gt ;Also, see 
the &quot; Prohibit adjusting desktop too lbars&quot ; setting." 
gpmc_supported="At least Microsoft windows 2000">Prevent adding, dragging, dropping 
and closing the Taskbar' s toolbars</ax/tdxtd>Enabled</tdxtd>LightTyManaged User 
Setti ngs</tdx/tr> 

<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript : showExpl ai nText (this) ; return false;" gpmc_settingName=" Prohibit 
user from changing My Documents path" gpmc_setti ngPath="User 

Configuration/Administrative Templates/Desktop" gpmc_settingDescription="Prevents 
users from changing the path to the My Documents folder. <br/><br/>By 
default, a user can change the location of the My Documents folder by typing a new 
ath in the Target box of the My Documents Properties dialog 

ox.<br/&gt ;&lt ;br/&qt ;lf you enable this setting, users are unable to type a new 
location in the Target box." gpmc_supported="At least Microsoft Windows 
2000">Prohibit user from changing My Documents 

path</ax/tdxtd>Enabled</tdxtd>Lightl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascnpt :void() ;" 

oncl ick="javascript: showExpl ai nText (thi s) ; return false;" gpmc_settingName="Remove 
Properties from the Recycle Bin context menu" qpmc_settingPath="User 
Configuration/Administrative Templates/Desktop gpmc_settingDescription="Removes the 
Properties option from the Recycle Bin context menu.&lt ;br/&gt ;&lt ;br/&gt ;lf you 
enable this setting, the Properties option will not be present when the user right- 
clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter 
does nothing when Recycle Bin is selected. &lt ;br/&gt ;&lt ;br/&gt ;lf you disable or do 
not configure this setting, the Properties option is displayed as usual." 
gpmc_supported="At least Microsoft windows XP Professional or windows Server 2003 



family">Remove Properties from the Recycle Bin context 
menu</ax/tdxtd>Enabled</tdxtd>WW ITG Policy</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Network/Network 
Connections</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info3" cellpadding="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col">Setting</thxth scope="col ">winning 
GPO</thx/tr> 

<trxtdxa class="explainlink" href="iavascript :void() ;" 

onclick=" javascript :showExplainText(tnis) ; return false;" gpmc_settingName="Prohibit 
access to the Advanced Settings item on the Advanced menu" gpmc_settingPath="User 
Configuration/Administrative Templates/Network/Network Connections" 
gpmc_settingDescription="Determines whether the Advanced Settings item on the 
Advanced menu in Network Connections is enabled for 

administrators. <br/&gt ;<br/>The Advanced Settings item lets users view and 
change bindings and view and change the order in which the computer accesses 
connections, network providers, and print providers. &lt ;br/&gt ;&lt ;br/&gt ;lf you 
enable this setting (and enable the &quot ; Enable Network Connections settings 
for Administrators&quot ; setting), the Advanced Settings item is disabled for 
administrators. <br/><br/> Important: if the &quot ; Enable Network 
Connections settings for Administrators&quot ; is disabled or not configured, 
this setting will not apply to administrators on post-windows 2000 
computers. &Tt;br/&gt ;<br/&gt ; If you disable this setting or do not configure it, 
the Advanced Settings item is enabled for administrators .&Tt; br/&gt ;&lt ;br/>Note: 
Nonadministrators are already prohibited from accessing the Advanced settings dialog 
box, regardless of this setting." gpmc_supported="At least Microsoft windows 2000 
Service Pack l">Prohibit access to the Advanced Settings item on the Advanced 
menu</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/t r> 
</table> 

</divx/divxdiv cl ass="he3"xspan class="sectionTitle" tabindex="0">Network/offl ine 
Files</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info3" cell padding="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col M >wi nni ng 
GPO</thx/tr> 

<trxtdxa class="explainlink" href=" -javascript : void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName=" Prevent 
use of Offline Files folder" gpmc_settingPath="User Configuration/Administrative 
Templates/Network/Offline Files" gpmc_settingDescription= Disables the offline Files 
folder .&lt ;br/> Alt ;br/> This setting disables the &quot ;View 
Files&quot ; button on the Offline Files tab. As a result, users cannot use the 
Offline Files folder to view or open copies of network files stored on their 
computer. Also, they cannot use the folder to view characteristics of offline files, 
such as their server status, type, or location. &lt ;br/&gt ;&lt ;br/>This setting 
does not prevent users from working offline or from saving local copies of files 
available offline. Also, it does not prevent them from using other programs, such as 
Windows Explorer, to view their offline files.<br/><br/>This setting 
appears in the Computer Configuration and User Configuration folders, if both 
settings are configured, the setting in Computer Configuration takes precedence over 
the setting in User Configuration .&Tt ;br/&gt ;<br/&gt ;Tip: To view the Offline 
Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click 
the Offline Files tab, and then click &quot ; View Files .&quot; " 

?pmc_supported="At least Microsoft windows 2000">Prevent use of offline Files 
ol der</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript : void() ; " 

onclick=" javascript :showExplainText(tnis) ; return false; " gpmc_settingName=" Prohibit 
user configuration of offline Files" gpmc_settingPath="user 
Conf i gurati on/Admi ni strati ve Tempi ates/Network/of f 1 i ne Fi 1 es" 

gpmc_settingDescription="Prevents users from enabling, disabling, or changing the 
configuration of offline Files .&lt ;br/&gt ;&lt ;br/&gt ;This setting removes the 
offline Files tab from the Folder Options dialog box. It also removes the Settings 
item from the offline Files context menu and disables the Settings button on the 
Offline Files Status dialog box. As a result, users cannot view or change the 



options on the Offline Files tab or offline Files dialog 

box. <br/><br/&qt; This is a comprehensive setting that locks down the 
configuration you establish by using other settings in this 

folder. Alt ;br/><br/> This setting appears in the Computer Configuration and 
User Configuration folders. If both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 

Configuration. &lt ;br/&qt ;&lt ;br/&gt ;Tip: This setting provides a quick method for 
locking down the default settings for offline Files. To accept the defaults, just 
enable this setting. You do not have to disable any other settings in this folder." 
gpmc_supported= At least Microsoft windows 2000">Prohibit user configuration of 
Offline Files</a></tdxtd>Enabled</tdxtd>LightlyManaged User Settings</tdx/tr> 
<trxtd colspan="3"xtable cl ass="subtabl enframe ff celfpadding="0" cellspacing="0"> 
<trxtd colspan= ,, 2">Prevents users from changing any cache configuration 
setti nqs . </tdx/trx/tabl ex/tdx/trxtrxth scope= col ">Pol icy</thxth 
scope= col">Setting</thxth scope="col ">winning GPO</thx/tr> 
<trxtdxa class="explainlink" href=" javascript :void() ;" 

onclick="javascript:showExplainText(this); return false; 1 * gpmc_settingName=" Remove 

Make Available offline gpmc_settingPath="User Configuration/Administrative 
Tempi ates/Network/offl me Files" gpmc._settingDescription="Prevents users from makinq 
network files and folders available offline. &lt ;br/&gt ;&lt ;br/&gt ;This setting 
removes the &quot ;Make Available offline&quot ; option from the File menu and 
from all context menus in windows Explorer. As a result, users cannot designate 
files to be saved on their computer for offline use.&lt ;br/&gt ;&lt ;br/&gt ; However 
this setting does not prevent the system from saving local copies of files that 
reside on network shares designated for automatic caching. &lt ;br/&gt ;&lt ;br/>This 
setting appears in the Computer Configuration and User Configuration folders. If 
both settings are configured, the setting in Computer Configuration takes precedence 
™^u the sett ] n g in User Configuration." gpmc_supported="At least Microsoft windows 
2000 >Remove Make Available Off! ine ' </ax/tdxtd>Enabled</tdxtd>LiqhtlyManaqed 
User Setti ngs</tdx/tr> y 
<trxtdxa class="explainlink" href=" javascript :void() ; " 
onclick="javascript:showExplainText(this) ; return false;" 
gpmc_settmgName="Synchronize all offline files before logging off" 
gpmc_settingpath="user Configuration/Administrative Templates/Network/Offline Files" 
gpmc_settingDescription="Determines whether offline files are fully synchronized 
when users Tog off .<br/&qt ;&lt ;br/&gt ;This setting also disables the 
&quot;Synchronize all offline files before logging off&quot ; option on the 
Offline Files tab. This prevents users from trying to change the option while a 
setting controls it .&lt ;br/&gt ;&lt ;br/>if you enable this setting, offline files 
are fully synchronized. Full synchronization ensures that offline files are complete 
and current. <br/><br/>lf you disable this setting, the system only 
performs a quick synchronization. Quick synchronization ensures that files are 
complete, but does not ensure that they are current .&lt ;br/&gt ;&lt ;br/> if you do 
not configure this setting, the system performs a quick synchronization by default, 
but users can change this option. <br/&gt ;<br/&gt ;This setting appears in the 
Computer Configuration and User Configuration folders. If both settings are 
configured, the setting in Computer Configuration takes precedence over the settinq 
in user Configuration. &lt ;br/&gt ;<br/>Tip: To change the synchronization 
method without changing a setting, in windows Explorer, on the Tools menu, click 
Folder options, click the offline Files tab, and then select the 
&quot; synchronize all offline files before logging off&quot ; option " 
qpmc_supported:="At least Microsoft windows 2000">Synchronize all offline files 
before logging off</ax/tdxtd>Enabled</tdxtd>LiqhtlyManaqed User 
setti ngs</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">Start Menu and 
Taskbar</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i "xtable class="info3" cell paddinq="0" 
cellspacing="0"> * 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col ">winninq 
GPO</thx/tr> y 
<trxtdxa class="explainlink" href=" javascript : void() ; " 

onclick="jayascript:showExplainText(this); return false;" gpmc_settingName="Add 
Logoff to the Start Menu" gpmc_settingPath="User Configuration/Administrative 



Templates/Start Menu and Taskbar" gpmc_settingDescription="Adds the &quot;Loq 
Off &lt;username&gt;&quot; item to the Start menu and prevents users 
from removing it.<br/><br/>if you enable this setting, the Log off 
&lt;username&gt; item appears in the Start menu. This setting also removes 
the Display Logoff item from Start Menu options. As a result, users cannot remove 
the Log Off & lt;username&gt; item from the start 

Menu.<br/><br/>if you disable this setting or do not configure it, users 
can use the Display Logoff item to add and remove the Log Off 
i tern. <br/><br/> This setting affects the start menu only, it does not 
affect the Log off item on the windows Security dialog box that appears when you 
press Ctrl+Alt+Del .<br/><br/>Note: To add or remove the Log off item on 
a computer, click Start, click settings, click Taskbar and start Menu, click the 
start Menu Options tab, and then, in the start Menu Settings box, click Display 
Logoff .< br/&gt,;&lt ;br/> Also, see &quot; Remove Logoff&amp:quot ; in User 
Configuration\Admimstrative Tempi ates\system\ Logon/Logoff . " gpmc supported="At 
least Microsoft windows 2000">Add Logoff to the start " 
Menu</ax/tdxtd>Enabled</tdxtd>LightlyManaged user Settinqs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:voidO ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Force 
classic start Menu gpmc_settingPath="user Configuration/Administrative 
Templates/Start Menu and Taskbar" gpmc_settingDescription="This settinq effects the 
presentation of the start menu.<br/><br/>The classic start menu in 
Windows 2000 Professional allows users to begin common tasks, while the new start 
menu consolidates common items onto one menu. When the classic Start menu is used 
the following icons are placed on the desktop: My Documents, My Pictures, My Music 
My computer, and My Network Places. The new Start menu starts them 
directly. <br/><br/>If you enable this setting, the Start menu displays 
the classic Start menu in the windows 2000 style and displays the standard desktop 
icons. <br/><br/> if you disable this setting, the Start menu only 
displays in the new style, meaning the desktop icons are now on the start 




Menu</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settinqs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 
onclick="iavascript:showExplainText(this); return false;" gpmc_settingName="Gray 
unavailable Windows installer programs start Menu shortcuts" gpmc_settinqPath="User 
Configuration/Administrative Templates/start Menu and Taskbar" 
gpmc_settingDescription="Di splays start menu shortcuts to partially installed 
programs in gray text. <br/><br/&qt; This setting makes it easier for users 
to distinguish between programs that are fully installed and those that are only 
partially installed.<br/><br/> Parti ally installed programs include those 
tnat a system administrator assigns using Windows installer and those that users 
have configured for full installation upon first use.<br/><br/>lf you 
disable this setting or do not configure it, all start menu shortcuts appear as 
black text. <br/><br/&qt; Note: Enabling this setting can make the start menu 
slow to open. gpmc_supported=At least Microsoft Windows 2000">Gray unavailable 
Windows Installer programs start Menu 

shortcuts</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti nqs</tdx/t r> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Remove 
links and access to Windows Update" gpmc_settingPath="user 
Configuration/Administrative Templates/Start Menu and Taskbar" 
gpmc_settinqDescription="Prevents users from connecting to the Windows Update Web 
site.<br/><br/>This setting blocks user access to the windows Update Web 
■Vj 6 at . htt P = //windowsupdate. microsoft. com. Also, the setting removes the Windows 
Update hyperlink from the Start menu and from the Tools menu in internet 
Exglorer.<br/><br/>Windows Update, the online extension of Windows, 
of.ers software updates to keep a user's system up-to-date. The Windows Update 
Product Catalog determines any system files, security fixes, and Microsoft updates 
that users need and shows the newest versions available for 
download.<br/><br/>Also, see the &quot;Hide the &quot;Add 
programs from Microsoft&quot; option&quot; setting." gpmc_supported="At 



least Microsoft Windows 2000">Remove links and access to Windows 
Update</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settings</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove 
Network Connections from Start Menu" gpmc_settingPath="User 
Configuration/Administrative Templates/start Menu and Taskbar" 
gpmc_settingDescription=" Prevents users from running Network 

Connections.<br/><br/>This setting prevents the Network Connections 
folder from opening. This setting also removes Network Connections from settings on 
the start menu. <br/><br/> Network connections still appears in Control 
Panel and in Windows Explorer, but if users try to start it, a message appears 
explaining that a setting prevents the action. <br/>&lt ;br/>Also, see the 
&quot; Disable programs on Settings menu&amp ;quot ; and &quot; Disable Control 
Panel &quot; settings and the settings in the Network Connections folder 
(Computer Configuration and User Configuration\Administrative 

Tempi ates\Network\Network Connections)." gpmc_supported="At least Microsoft windows 
2000 >Remove Network Connections from Start 

Menu</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settings</tdx/tr> 
<trxtdxa class="explainl ink" href="iavascript:void() ;" 

onclick="iavascript:showExplainText(this); return false;" gpmc_settingName=" Remove 
Run menu from start Menu" gpmc_settingPath="user Configuration/Administrative 
Templates/Start Menu and Taskbar" gpmc_settinqDescription="Allows you to remove the 
Run command from the start menu, Internet Explorer, and Task 
Manager. <br/><br/> If you enable this setting, the following changes 
occur :<br/><br/>(l) The Run command is removed from the Start 
menu.<br/><br/>(2) The New Task (Run) command is removed from Task 
Manage r.<br/><br/> (3) The user will be blocked from entering the 
following into the internet Explorer Address Bar:<br/><br/> — A UNC 
path : \\&amp ; 1 t ; server&amp ; gt ; \&amp ; 1 t ; share&amp ; gt ; &1 1 ; br/&gt ;&1 1 ; br/&gt ; — 
Accessing local drives: e.g., c:<br/><br/> — Accessing local folders: 
e.g., \temp&gt;<br/><br/>Also, users with extended keyboards will no 
longer be able to display the Run dialog box by pressing the Application key (the 
key with the Windows logo) + R.<br/><br/>lf you disable or do not 
configure this setting, users will be able to access the Run command in the start 
menu and in Task Manager and use the Internet Explorer Address 
Bar.<br/><br/><br/><br/>Note:This setting affects the 
specified interface only, it does not prevent users from using other methods to run 
programs. <br/><br/> Note: It is a requirement for third-party 
applications with windows 2000 or later certification to adhere to this setting." 
gpmc_supported="At least Microsoft windows 2000">Remove Run menu from Start 
Menu</ax/tdxtd>Disabled</tdxtd>ww itg Pol icy</tdx/tr> 
</table> 

</divx/divxdiv class="he3"xspan cl ass="sectionTitl e" tabindex="0">system</spanxa 
class="expando" href="#"x/ax/div> 

<diy class="container"xdiv class="he4i"xtable class="info3" cell paddinq="0" 
cellspacing="0"> a 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col">winninq 
GPO</thx/tr> M 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="iavascript:showExplainText(this); return false;" gpmc_settingName="Don*t 
display the Getting started welcome screen at logon" gpmc_settingPath="User 
Configuration/Administrative Templates/System" gpmc_settingDescription="supresses 
the welcome screen. <br/><br/>This setting hides the welcome screen that 
is displayed on Windows 2000 Professional and windows XP Professional each time the 
user logs on.<br/><br/>Users can still display the welcome screen by 
selecting it on the start menu or by typing &quot;welcome&quot; in the Run 
dialog box. <br/><br/> This setting applies only to Windows 2000 
Professional and Windows XP Professional. It does not affect the &quot; Configure 
Your Server on a Windows 2000 Server&amp ;quot; screen on Windows 2000 
server. <br/><br/&qt; Note: This setting appears in the Computer 
Configuration and User Configuration folders, if both settings are configured, the 
setting in Computer Configuration takes precedence over the setting in user 
Configuration. <br/><br/>Tip: To display the welcome screen, click start, 
point to Programs, point to Accessories, point to System Tools, and then click 



&quot; Getting Started. &quot; To suppress the welcome screen without 
specifying a setting, clear the &quot;Show this screen at startup&quot ; 
™«£„ box on the welcome screen." gpmc_supported="only works on Microsoft windows 
2000 >Don t display the Getting Started welcome screen at 
logon</ax/tdxtd>Enabled</tdxtd>Li ghtl yManaged user Settings</tdx/tr> 
<trxtdxa class="explainlink" href= javascript : void () ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prevent 
access to registry editing tools" gpmc_settinqPath="user 

configuration/Administrative Tempi ates/System rf gpmc_settingDescription="Disables the 
Windows registry editor Regedit.exe. <br/><br/>lf this setting is enabled 
and the user tries to start a registry editor, a message appears explaining that a 
setting prevents the action. <br/><br/>To prevent users from using other 
administrative tools, use the &quot;Run only allowed Windows 
applications&quot; setting." gpmc_supported="At least Microsoft windows 
2000 >Prevent access to registry editing 

tool s</ax/tdxtd>Enabled</tdxtd>Li ghtl yManaged user Settings</tdx/tr> 
<trxtdxa class="explainlink" href= rf iavascript:voidO ;" 

onclick=; , javascript:showExplainText(this); return false;" gpmc_settingName="Turn off 
Autoplay gpmc_settingPath="User Configuration/Administrative Templates/System" 
gpmc_settingDescription="Turns off the Autoplay 

feature. <br/><br/> Autoplay begins reading from a drive as soon as you 
insert media in the drive, as a result, the setup file of programs and the music on 
audio media start immediately.<br/><br/>By default, Autoplay is disabled 
on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and 
on network drives. <br/><br/>lf you enable this setting, you can also 
disable Autoplay on CD-ROM drives or disable Autoplay on all 

drives. <br/><br/>This setting disables Autoplay on additional types of 
drives. You cannot use this setting to enable Autoplay on drives on which it is 
disabled by default. <br/><br/>Note: This setting appears in both the 
Computer Configuration and User Configuration folders, if the settings conflict the 
setting in Computer Configuration takes precedence over the setting in user 
Configuration.<br/><br/>Note: This setting does not prevent Autoplay for 
music CDs. gpmc_supported="At least Microsoft Windows 2000">Turn off 
Autopl ay</ax/tdxtd>Enabl ed</tdxtd> Li ghtl yManaged Use r Setti ngs</tdx/t r> 
<trxtd colspan="3"xtable class="subtable_frame rf cellpadding="0" cellspacing="0"> 
<trxtd>Turn off Autoplay on:</tdxtd>All drives</tdx/tr> 
</tabl ex/tdx/trx/tabl e> 

</divx/divxdiv class="he3"xspan class="sectionTitle" 
tabindex="0">system/scripts</spanxa class="expando" href="#"x/ax/div> 
<div class= container"xdiv class="he4i"xtable class="info3" cellpaddinq="0" 
cellspacing="0"> 3 

<trxth scope="col">Policy</thxth scope="col ">setting</thxth scope="col ">winninq 
GP0</thx/tr> a 

<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="qavascript:showExplainText(this); return false;" gpmc_settingName="Run 
logon scripts synchronously" gpmc_settingPath="User Configuration/Administrative 
Tempi ates/System/Scripts" gpmc_settingDescription="Directs the system to wait for 
the logon scripts to finish running before it starts the windows Explorer interface 
program and creates the desktop. &1 t ; br/&gt ;<br/&gt ; if you enable this setti nq, 
Windows Explorer does not start until the logon scripts have finished running. This 
setting ensures that logon script processing is complete before the user starts 
working, but it can delay the appearance of the desktop. <br/><br/> If you 
disable this setting or do not configure it, the logon scripts and Windows Explorer 
are not synchronized and can run simultaneously. <br/><br/>This settinq 
appears in the Computer Configuration and User Configuration folders. The setting 
set in Computer Configuration takes precedence over the setting set in User 
Configuration." gpmc_supported="At least Microsoft windows 2000">Run loqon scripts 
synchronous! y</ax/tdxtd>Enabled</tdxtd>Li ghtl yManaged user Setti ngs</tdx/tr> 

^/ LclD I G> 

</div></divxdiv class="he3"xspan class="sectionTitle" tabindex="0">system/user 
Profiles</spanxa class="expando" href="#"x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info3" cellpaddinq="0" 
cellspacing= 0 > 3 



<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col">winninq 
GPO</thx/tr> ~ y 

<trxtdxa class="explainl ink" href="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Limit 
profile size gpmc_settinqPath="User Configuration/Administrative 
Templates/System/User Profiles" gpmc_settingDescription="sets the maximum size of 
each user profile and determines the system r s response when a user profile reaches 
the maximum size.<br/><br/>if you disable this setting or do not 
configure it, the system does not limit the size of user 
profiles. <br/><br/>lf you enable this setting, you can do the 
following:<br/><br/>— set a maximum permitted user profile 
size;<br/><br/>— Determine whether the registry files are included in 
the calculation of the profile size;<br/><br/>— Determine whether 
users are notified when the profile exceeds the permitted maximum 
size;<br/><br/>— Specify a customized message notifying users of the 
oversized profile;<br/><br/>— Determine how often the customized 
message is displayed. <br/><br/>Note: This setting affects both local and 
roaming profiles. gpmc_supported="At least Microsoft Windows 2000">Limit profile 
si ze</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/tr> 
<trxtd colspan="3"xtable class="subtable_f rame" cellpadding="0" cellspacing="0"> 
<trxtd>custom Message</tdxtd>You have exceeded your profile storage space. Before 
you can log off, you need to move some items from your profile to network or local 
storage . </tdx/tr> 

<trxtd>Max Profile size (KB)</tdxtd>30000</tdx/tr> 
<trxtd>lnclude registry in file 1 ist</tdxtd>Disabled</tdx/tr> 
<trxtd>Notify user when profile storage space is 
exceeded. </tdxtd>Enabled</tdx/tr> 

<trxtd>Remind user every x minutes :</tdxtd>15</tdx/tr> 
</tabl ex/tdx/t rx/tabl e> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">windows 
Components/Internet Explorer</spanxa class="expando" href="#"x/ax/div> 
<diy class="container"xdiv class="he4i"xtable class="info3" cellpaddinq="0" 
cellspacing="0"> 

<trxth scope="col">Policy</thxth scope="col ">Setting</thxth scope="col ">winninq 
GPO</thx/tr> ~ ' M 

<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Di sable 
changing Advanced page settings" gpmc_settingPath="user Configuration/Administrative 
Templates/windows Components/internet Explorer" gpmc_settingDescription="Prevents 
users from changing settings on the Advanced tab in the internet Options dialog 
box.<br/><br/>lf you enable this policy, users are prevented from 
changing advanced Internet settings, such as security, multimedia, and printinq. 
Users cannot select or clear the check boxes on the Advanced 

tab.<br/><br/>lf you disable this policy or do not configure it, users 
can select or clear settings on the Advanced tab.<br/><br/>lf you set 
the &quot; Disable the Advanced page&quot; policy (located in \user 
Configuration\Admim strati ve Tempi ates\Windows Components\lnternet Explorer\lnternet 
Control Panel), you do not need to set this policy, because the &quot; Disable 
the Advanced paqe&quot; policy removes the Advanced tab from the interface." 
gpmc_supported= at least internet Explorer v5 .01">Disable changing Advanced paqe 
settings</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Setti ngs</tdx/tr> 



onclick= javascnpt:showExplainText(this); return false;" gpmc_settingName="Di sable 
changing certificate settings" gpmc_settingPath="User Configuration/Administrative 
Templates/Windows Components/Internet Explorer" gpmc_settingDescription="Prevents 

users from chanainn cprl-i-Firai-e> tettinnc -in Tntor-not tz^^i ^„„*.,-^,- 



Certificates are used 



users from changing certificate settings in Internet Explorer. CertifT 
to verify the identity of software publishers.<br/><br/>lf you enable 
this policy, the settings in the Certificates area on the content tab in the 
Internet Options dialog box appear dimmed. <br/><br/>if you disable this 
P°l^y or do not configure it, users can import new certificates, remove approved 
publishers, and change settings for certificates that have already been 
accepted. <br/><br/&qt; The &quot; Disable the Content page&quot ; 
policy (located in \user Conf iguration\Administrative Tempi ates\windows 
Components\Internet Explorer\Internet Control Panel), which removes the Content tab 



from Internet Explorer in Control Panel, takes precedence over this policy, if it is 
enabled, this policy is ignored. &lt ;br/&gt ;&lt ;br/&gt ;Caution: if you enable this 
policy, users can still run the Certificate Manager import wizard by double-clicking 
a software publishing certificate (.spc) file. This wizard enables users to import 
and configure settings for certificates from software publishers that haven't 
already been configured for Internet Explorer." gpmc_supported="at least Internet 
Explorer v5.01">Disable changing certificate 

setti ngs</a></tdxtd>Enabl ed</tdxtd>Lightl yManaged user setti ngs</tdx/t r> 
<trxtdxa class="explainlink" href=="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Di sable 
changing default browser check" gpmc_settingPath="User Configuration/Administrative 
Templates/Windows Components/Internet Explorer" gpmc_settingDescription="Prevents 
Microsoft internet Explorer from checking to see whether it is the default 
browser. &lt ;br/&gt ;&lt ;br/&gt ;lf you enable this policy, the Internet Explorer 
Should Check to See whether It Is the Default Browser check box on the Programs tab 
in the internet Options dialog box appears dimmed. &lt ;br/&gt ;&lt ;br/&gt ;lf you 
disable this policy or do not configure it, users can determine whether internet 
Explorer will check to see if it is the default browser, when Internet Explorer 
performs this check, it prompts the user to specify which browser to use as the 
default. <br/><br/>This policy is intended for organizations that do not 
want users to determine which browser should be their 

default.<br/><br/>The &quot; Disable the Programs page&quot ; 
policy (located in \user Conf iguration\Admini strati ve Tempi ates\win3ows 
Components\Internet Explorer\lnternet control Panel), which removes the Programs tab 
from internet Explorer in control Panel, takes precedence over this policy, if it is 
enabled, this policy is ignored." gpmc_supported="at least Internet Explorer 
v5.01">Di sable changing default browser 

check</a></tdxtd>EnabTed</tdxtd>Li ghtl yManaged user Setti ngs</tdx/t r> 
<trxtdxa class="explainl ink" href= javascript : void() ; " 

onclick="javascript:showExplainText(this) ; return false;" gpmc_settingName="Di sable 
changing ratings settings" gpmc_settingPath="user Configuration/Administrative 
Templates /Windows Components/Internet Explorer" gpmc_settingDescription="Prevents 
users from changing ratings that help control the type of Internet content that can 
be viewed. &lt ;br/&gt ;&lt ;br/&gt ;If you enable this policy, the settings in the 
Content Advisor area on the Content tab in the Internet Options dialog box appear 
dimmed.&lt ;br/&gt ;&lt ;br/>lf you disable this policy or do not configure it, 
users can change their ratings sett ings.<br/><br/> The &quot; Disable 
the Ratings page&quot ; policy (located in \User Configuration\Administrative 
Tempi ates\Windows Components\internet Explorer\lnternet Control Panel), which 
removes the Ratings tab from Internet Explorer in Control Panel, takes precedence 
over this policy, if it is enabled, this policy is ignored." gpmc_supported="at 
least Internet Explorer v5 .01">Disabl e changing ratings 

setti ngs</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainl ink" href="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Di sable 
changing Temporary Internet files settings" gpmc__settingPath="user 
Configuration/Administrative Templates/windows components/internet Explorer" 
gpmc_settingDescription="Prevents users from changing the browser cache settings, 
such as the location and amount of disk space to use for the Temporary Internet 
Files folder. <br/&gt ;<br/>lf you enable this policy, the browser cache 
settings appear dimmed. These settings are found in the dialog box that appears when 
users cnck the General tab and then click the Settings button in the internet 
Options dialog box.&lt ;br/&gt ;&lt ;br/&gt ;lf you disable this policy or do not 
configure it, users can change their cache settings. Alt ;br/&gt ;&lt ;br/>lf you set 
the &quot; Disable the General page&quot ; policy (located in \user 
Configuration\Administrati ve Tempi ates\windows Components\lnternet Explorer\lnternet 
Control Panel), you do not need to set this policy, because the &quot ; Disable 
the General page&quot ; policy removes the General tab from the interface." 
gpmc_supported="at least Internet Explorer v5 .01">Disable changing Temporary 
Internet files setti ngs</ax/tdxtd>Enabled</tdxtd>Li ghtl yManaged User 
Setti ngs</tdx/tr> 

<trxtdxa class="explainlink" href="iavascript : void() ; " 

onclick="iavascript:showExplainText(this); return false;" gpmc_settingName="Disablo 
external branding of internet Explorer" gpmc_settingPath="user 



Configuration/Administrative Templates/windows components/internet Explorer" 
gpmc_settingDescnption=" Prevents branding of Internet programs, such as 
customization of internet Explorer and outlook Express logos and title bars bv 
another party. <br/><br/>lf you enable this policy, it prevents 
customization of the browser by another party, such as an Internet service provider 
or internet content provider. <br/><br/>lf you disable this policy or do 
not configure it, users could install customizations from another party-for example 
when signing up for internet services. <br/><br/>This policy is intended" 
for administrators who want to maintain a consistent browser across an 
organization. gpmc_supported="at least Internet Explorer v5.01">Di sable external 
settings</td></tf> et Exp1orer</a></td><td>Enabled< / td><td>L " i g ntl yManaged user 
•ctrxrJxa class="explainlink" href="iavascript:void() ■" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Di sable 
Internet Connection wizard" gpmc_settingPath="user Configuration/Administrative 
Templates /windows Components/Internet Explorer" gpmc_settingDescription="Prevents 
users from running the Internet Connection Wizard. <br/><br/&gt:lf you 
enable this policy the setup button on the connections tab in the Internet options 
dialog box appears dimmed. <br/><br/>users will also be prevented from 
running the wizard by clicking the Connect to the internet icon on the desktop or by 
clicking start, pointing to Programs, pointing to Accessories, pointinq to 
Communications, and then clicking Internet connection 

Wizard.<br/><br/>lf you disable this policy or do not configure it 
users can change their connection settings by running the Internet Connection ' 
Wizard.<br/><br/>Note: This policy overlaps with the &quot ; Disable 
the connections page&quot; policy (located in \User Configu rati on\Admini strati ve 
Templates\Windows Components\internet Explorer\mternet control Panel), which 
removes the Connections tab from the interface. Removing the connections tab from 
the interface, however, does not prevent users from running the internet Connection 

£S?«2-I r Sc St" 2 ?sk £? p ° r the Start men Y-" gpmc_supported="at least internet 
Explorer v5.01 >Disable Internet connection 

wizard</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settinqs</tdx/tr> 
<tr><tdxa class="explainlink" href="iavascript:void() ; " 

?hf of k %3 a , v ascnpt:showExplainText(tnis); return false;" qpmc_settingName="Di sable 
^Li^!o/w ?b ^ Sett Z ngs feature gP"ic_settingPath="user Configuration/Administrative 
Templates/windows Components/internet Explorer" gpmc_settingDescription=" Prevents 
users from restoring default settings for home and search 

Pages. <br/><br/> if you enable this policy, the Reset Web Settinqs button 
on the Programs tab in the Internet Options dialog box appears 
dimmed.<br/><br/>lf you disable this policy or do not configure it 
users can restore the default settings for home and search 

? a £:f;!l t; - br (M 9t; ^ the Programs page&quot; policy 

(located in \user Configuration\Admimstrative Tempi ates\windows Components\Internet 
Explorer\internet Control Panel), which removes the Programs tab from Internet 
Explorer in Control Panel, takes precedence over this policy, if it is enabled, this 
policy is ignored. gpmc_supported="at least internet Explorer v5 .01">Di sable the 
settin s</tdx/t?> feature</a></td><td>Enab1ed< / td><td>Li g h tlyManaged user 
<tr><tdxa class="explainlink" href="iavascript : void() ; " 

fii lc ^' avas cn'pt:showExplainText(this); return false;" gpmc_settingName="Do not 
allow AutoComplete to save passwords" gpmc_settingPath="User 
Configuration/Administrative Templates/Windows Components/internet Explorer" 
gpmc_settingDescnption="Di sables automatic completion of user names and passwords 
in forms on web pages, and prevents users from being prompted to save 
passwords. <br/><br/>lf you enable this policy, the user Names and 
Passwords on Forms and Prompt Me to Save Passwords check boxes appear dimmed. To 
rltV a Z lu* ch j ec u box ?s, users open the internet Options dialog box, click the 
Content tab, and then click the AutoComplete button. <br/>&Tt;br/> if you 
disable this policy or don't configure it, users can determine whether internet 
Explorer automatically completes user names and passwords on forms and prompts them 
to save passwords <br/&gt ;<br/&gt ; The &quot; Disable the Content 
page&quot; policy (located in \user Configuration\Administrative 
Tempi ates\Windows Components\lnternet Explorer\internet Control Panel), which 
removes the content tab from internet Explorer in control Panel, takes precedence 



over this policy, if it is enabled, this policy is ignored." gpmc_supported="at 
least internet Explorer v5.01">Do not allow AutoCompfete to save 
passwords</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settinqs</tdx/tr> 
<trxtdxa class="explainlink" href="javascript:voidO ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Identity 
Manager: Prevent users from using identities" gpmc_settingPath="User 
Configuration/Administrative Templates/windows Components/internet Explorer" 
gpmc_settingDescription=" Prevents users from configuring unique identities by usina 
Identity Manager .< br/>< br/> Identity Manager enables users to create 
multiple accounts, such as e-mail accounts, on the same computer. Each user has a 
unique identity, with a different password and different program 
preferences. <br/><br/>lf you enable this policy, users will not be able 
to create new identities, manage existing identities, or switch identities The 
switch Identity option will be removed from the File menu in Address 
Book.<br/><br/>lf you disable this policy or do not configure it. users 
c r n «f» t y p a ? d chan 9 e identities." gpmc_supported="at least Internet Explorer 
v5.01 >ldentity Manager: Prevent users from using 

ldentities</ax/tdxtd>Enabled</tdxtd>LightlyManaged User Settings</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:voidO;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="search: 

Disable search customization" gpmc_settingPath="user Configuration/Administrative 

Templates/Windows Components/Internet Explorer" gpmc_settingDescription="Makes the 

Customize button in the Search Assistant appear dimmed.<br/><br/>The 

Search Assistant is a tool that appears in the Search bar to help users search the 

internet. <br/><br/>lf you enable this policy, users cannot change their 

search Assistant settings, such as setting default search engines for specific 

tasks <br/&gt ;<br/&gt ; If you disable this policy or do not configure it, users 

can change their settings for the Search Assistant. <br/><br/>This policy 

is designed to help administrators maintain consistent settings for searchinq across 

an organization. gpmc_supported="at least Internet Explorer v5 .01">Search : Disable 

Search Custom! zation</ax/tdxtd>Enabled</tdxtd>LightlyManaqed user 
Settings</tdx/tr> 

<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="use 
Automatic Detection for dial-up connections" gpmc_settingPath="User 
Configuration/Administrative Templates/Windows Components/Internet Explorer" 
gpmc_settingDescnption="Specifies that Automatic Detection will be used to 
C0 ^ U ^ dla r u P settings for users. <br/><br/> Automatic Detection uses 
a DHCP (Dynamic Host Configuration Protocol) or DNS server to customize the browser 
the first time it is started. <br/>&! t;br/> If you enable this policy, users' 
dial-up settings will be configured by Automatic Detection. <br/><br/&qt;lf 
you disable this policy or do not configure it, dial-up settings will not be 
configured by Automatic Detection, unless specified by the user." gpmc_supported="at 
least internet Explorer v5.01">Use Automatic Detection for dial-up 
connecti ons</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged User Setti ngs</tdx/tr> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex="0">windows 
Components/internet Explorer/Browser menus</spanxa class="expando" 
href="#"x/ax/div> 

<div class="container"xdiv class="he4i"xtable class="info3" cellpaddinq="0" 
cellspacing= 0 > 3 

s 5°Pe="col">Policy</thxth scope="col">Setting</thxth scope="col ">winninq 
GPO</tiix/tr> " 3 

<tr><tdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help 
menu: Remove For Netscape users' menu option" gpmc_settingpath="user 
Configuration/Administrative Templates/windows Components/Internet Explorer/Browser 
menus gpmc_settingDescription="Prevents users from displaying tips for users who 
are switching from Netscape. <br/><br/> If you enable this policy, the For 
Netscape Users command is removed from the Help menu.<br/><br/&qt;lf you 
disable this policy or do not configure it, users can display content about 
switching from Netscape by clicking the For Netscape Users command on the Help 
menu.<br/><br/>Caution: Enabling this policy does not remove the tips 
tor Netscape users from the Microsoft Internet Explorer Help file " 



<tr><td><a class="explainlink" href="javascript:voidO •" 

onclick= javascript:showExplainText(tnis); return false-" QDmc settinnN a m<.-" Ho in 
menu: Remove Send Feedback 1 menu option" gpmcsetting^th^Ssir 9 P 

lllhil 2J he S ?" d Fee 2 ba ck command on the Help menu.<br7>&lt-br/&at-lf vou 
enable this policy, the Send Feedback command is removed frS the Heln 

2!! U mi : i,ii*P : f I ;br/4g S :If y ° U disab1e this PO^cy or do no?coSf Sure it users 
~ 11 I an internet form to provide feedback about Microsoft Droducts" 

</table> 

?ominnpnJc/^ diV c l ass="he3"xspan cl ass="sectionTitl e" tabindex="0">windows 

G^Ah><A r r ,,COl,,>POllCy</th><th sc °Pe="col">Setting</th><th sco P e="col">winning 
™^i • t S > - Cl ass =" ex Pl ai nl i nk" href="iavascri pt : voidO ; " 

or remSvf snaE-fS 1 llio r/ h^^L a ^ eSu1t ' USers cannot create console files or add 
cannoHL thl 1™U ItZl 5k Ca *-? they cannot -,°P en author-mode console files, they 
cannot use the tools that the files contain. &lt:br/&at-&lt-br/*,ni--Th-i<: c«*+?i„ y 
permits users to open MMC user-mode console f les/ s2ch as' those on Jhe 9 
f^?^ St u atlVe TooYs menu in windows 20 °0 server familj or Windows Server 2003 

5 ^he^c'ii^rSarr^liVrSun ^tr^ S^h^Sft'Snu. (To 

MMC conso^i-ndM 

console 9 file's "° qD m? n s f u^^rtl fl '"^ e r f" ^ er ^Aor iffi^^aSSIJodS" 

nn^if^- class T" ex Plaimink" href="iavascript:voidO;" 

c™1o?e"1pm^ 

M^rosoftTn^ us ^ of 

us h e S this tt: sS?ti iV i "i S ^ Pr0h l l ted " except'^e^hat^of expl ic^Cpe^ 6 
o^if.f^ ting ^ you P lan . t0 Prohibit use of most snap-ins. Alt- br/St -Alt- bJ7Iar • 
KiS pllC J tly P? rmi £ a sna P-in, open the Restricted/Permitted snao-ins settina 9 ' 

Sl^Jtti^ the sna P- in wan^to p^rmi" J? a 

snap in setting in the folder is disabled or not configured, the snap-in is 



P ir lr ^fJii^i? 5 * 1 * ST 7 ! 9 *!-- If vou disable this settl 'ng or do not configure 
Ill-rill f" a P" lns n are Permitted, except those that you explicitly prohibit use tSis 
setting if you plan to permit use of most snap-ins .&lt:br/&qf&lt -br/&at- ' 

;a 1 iS?X- pr hi lb ^ 3 Snap " in> ° pen the "e*tr?cted/Si™rittSr sna^i^s setting folder 
and then disable the settings representing the snap-ins you want to orohibi? t? ! 
snap : in setting in the folder is enabled or not configured the snao-in is 

?h7lS/^ &1t;g c r/&gt: - &lt i b !; /& 9^ when a sna P"i" is prohibited it does SoJ appear in 
the Add/Remove Snap-in window in MMC. Also, when a user opens a console fife that 
includes a prohibited snap-in, the console file opens, but the prohibited snao-iJ 

</tabf^> /td><td>Enab1ed</td><td>Light1yManaged User settings</tdx/tr> 
</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex-'-O'Swindnw* 
Components/Task Scheduler</spanxa class="expando'' href="#"x/a></diJ> 
c1llsplcin^"S% ainer " ><diV c1ass = , "he4i"xtaEle ^las^^-infor^lipadding-'O" 
G^Ah><A?r' ,C ° r,>PO ' ,iCy</th><Th sco P e =""T'>Setting</thxth scope="col ">winning 
<tr><tdxa class="explainlink" href="iavascript :void() ■ " 

onclicks javascript:showExplainText(tnis); return false-" oomc settinaName-"n-iH e 
Advanced Properties checkbox in Add scheduled Task 5 zard" 9 g™c Ie«inqPa?h-"JsIr 
nnmrf^ a - 10 n /Admi - nistra P^ e Tempi ates/wi ndows Components/T5sk scheduler" 
SJ C fh?i t iI!E eS h np ?°V"7 h1 ? Se J ting removes the &quot;Open advanced properties 
Schedu ed Sk wi^d Cll Th i rnni h&am|?:qUO ? : S he< ? kbo 5 fr ° m tne last paSS of P Se CS 

Scheduler to automatical Ty open the newly created task's property shee? Son 
completion of the temp; quot; Add Scheduled Tasktemp;quot ; wizard ThTLsK 
property sheet allows users to change task characte?ist cs such 'as the program the 

setting in Computer configuration takes precedence over the letting in User 
^pIr^ercSec«Taal^ed5feJ% a ak MiCrOSOft " 1nd »» ^"^^vanced 

^^^^^ 

mfn^f i u / 5 g ? ; 5 lt;b r /> , Tl 2' is set ting removes the Properties item from the File 
menu in Scheduled Tasks and from the context menu that appears whin lou right-click 
a task. As a result, users cannot change any properties of a task tG! rlS Inl! «. 
the properties that appear in Detail v?ew and in the task V Can ° n1y 566 

cEESe?^ Se J ting P revents users from v i^inq and changing 

cnaracteri sties such as the program the task runs, its schedule dera-iTk iHi« V?ml 

and power management settings, and its security cintSt?&l?-br/^llt-6r/&-SS. 
3 ho?h t 2??s!SE earS in ^ he C0 "\ pute J configuration and ufer cSnffguSion^ldeS 
IL a setrm 9 s are configured, the setting in Computer Configuration takes 
K£?™ n %° V r th - S ^ tting , in User Co ^ig^ation.<br/&g?;&??;br/te^ This 

SFSSfv J22L ft X2l nfl taS ^ °, n1y - T ° Prevent "sers 'from 9 changiSg tS'JrSpeJt es 
?L" ew| y cr ? a t e d tasks, use the temp; quot; Remove Advanced Menutemp-ouot- settina " 
gpmc_supported="At least Microsoft Windows 2000">Hide Property ' Setting ' 

Paaes</a><r/rH^<rrH^Pnahiori^/<-^^^i-^^i ,„u*t... j I: . UH . l ' . . 



r> 




Templates/Windows Components/Task Scheduler" gpmc_settingDescription=" Prevents users 
from starting and stopping tasks manual! y.<br/><br/> This setting removes 
the Run and End Task items from the context menu that appears when you right-click a 
task. As a result, users cannot start tasks manually or force tasks to end before 
they are finished. <br/><br/>Note: This setting appears in the computer 
Configuration and User Configuration folders, if both settings are configured the 
setting in Computer configuration takes precedence over the setting in user ' 
Configuration. ' gpmc_supported="At least Microsoft windows 2000">Prevent Task Run or 
End</a></tdxtd>Enabl ed</tdxtd>Li qhtl yManaged User setti ngs</tdx/tr> 
<trxtdxa cl ass="expl ai nl i nk" href =" iavascri pt : voi d () ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prohibit 
Browse gpmc_settingPath="User Configuration/Administrative Templates/Windows 
Components/Task Scheduler" gpmc_settingDescription="Limits newly scheduled to items 
on the user s Start menu, and prevents the user from changing the scheduled proqram 
for existing tasks. <br/&qt;<br/>This setting removes the Browse button from 
the Schedule Task Wizard and from the Task tab of the properties dialog box for a 
task. Also, users cannot edit the &quot;Run&quot; box or the &amp:quot: start 
in&quot; box that determine the program and path for a 

task.<br/><br/>As a result, when users create a task, they must select a 
program from the list in the scheduled Task wizard, which displays only the tasks 
that appear on the start menu and its submenus, once a task is created, users cannot 
change the program a task runs. <br/><br/> Important: This setting does 
not prevent users from creating a new task by pasting or dragging any program into 
the Scheduled Tasks folder. To prevent this action, use the &quot; Prohibit Draq- 
and-Drop&quot; setti ng.<br/&qt;<br/&qt; Note: This setting appears in the 
Computer Configuration and user configuration folders. If both settings are 
configured, the setting in computer Configuration takes precedence over the setti nq 
in User configuration. gpmc_supported="At least Microsoft windows 2000">Prohibit 
Browse</ax/tdxtd>Enabled</tdxtd>Lightl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Prohibit 
Drag-and-Drop gpmc_settingPath="user Configuration/Administrative Templates/windows 
Components/Task Scheduler" gpmc_settingDescription="Prevents users from addinq or 
removing tasks by moving or copying programs in the scheduled Tasks 
folder.<br/><br/>This setting disables the cut, copy, Paste, and Paste 
shortcut items on the context menu and the Edit menu in scheduled Tasks, it also 
disables the drag-and-drop features of the scheduled Tasks 

folder. <br/><br/>As a result, users cannot add new scheduled tasks by 
dragging, moving, or copying a document or program into the Scheduled tasks 
folder. <br/><br/>This setting does not prevent users from using other 
methods to create new tasks, and it does not prevent users from deleting 
tasks. <br/><br/>Note: This setting appears in the Computer Configuration 
and User Configuration folders, if both settings are configured, the setti nq in 

COmDUter Confl duration takp<; nraror\ar\ra m/or* tna eo-t-i-T n/~t in limn «. . J — " 



Computer Configuration takes precedence over the setting in user Configuration. 
gpmc_supported="At least Microsoft Windows 2000">Prohibit Drag-and- 
Drop</ax/tdxtd>Enabled</tdxtd>Lightl yManaged User Setti ngs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ; " 

onclick=="javascript:showExplainText(this); return false;" gpmc_settingName=" Prohibit 
New Task Creation gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/Task Scheduler" gpmc_settingDescription="Prevents users 
from creating new tasks. <br/><br/>This setting removes the Add Scheduled 
Task item that starts the New Task wizard. Also, the system does not respond when 
users try to move, paste, or drag programs or documents into the Scheduled Tasks 
folder. <br/><br/&qt;Note: This setting appears in the computer 
Configuration and User Configuration folders, if both settings are configured, the 
setting in Computer Configuration takes precedence over the setting in User 
Conf igurati on. <br/><br/> Important: This setting does not prevent 
administrators of a computer from using At.exe to create new tasks or prevent 
administrators from submitting tasks from remote computers." gpmc_supported="At 
least Microsoft windows 2000">Prohibit New Task 

Creation</ax/tdxtd>Enabled</tdxtd>Lightl yManaged User setti nqs</tdx/tr> 
<trxtdxa class="explainlink" href="iavascript:void() ;" 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName=" Prohibit 
Task Deletion gpmc_settingPath="user Configuration/Administrative Templates/windows 



components/Task Scheduler gpmc_settingDescription="Prevents users from deletinq 
tasks from the scheduled Tasks folder.<br/>&1t;br/&qt;This setting remove! the 
Delete command from the Edit menu in the Scheduled Tasks folder and from the menu 
that appears when you right-click a task. Also, the system does not respond when 
users try to cut or drag a task from the Scheduled Tasks 
folder. <br/><br/>Note: This setting appears in the Computer 
Configuration and User Configuration folders. If both settings are confiqured the 
setting in computer Configuration takes precedence over the settinq in User 
Conf igurati on. <br/><br/> Important: This setting does not prevent 
administrators of a computer from using At.exe to delete tasks." qpmc supported="At 
least Microsoft Windows 2000">Prohi bit Task »uppur«a at. 

Del etion</ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged user setti nqs</tdx/t r> 
</table> 

</divx/divxdiv class="he3"xspan class="sectionTitle" tabindex=' , 0">windows 
Components/Windows Explorer</spanxa class="expando" href="#"x/ax/div> 
cellspacin = -"0"> 6r class= " he4i " ><table class="info3" cellpadding="0" 

GPO</th></t r> = " C01 " >P0] 1 cy</th><th sc °P e ="col ">setti ng</thxth scope="col ">wi nni ng 
<trxtdxa class="explainlink" href="iavascript :void() ; " 

onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow 
only per user or approved shell extensions" gpmc_settingPath="user 
Configuration/Administrative Templates/windows Components/Windows Explorer" 
gpmc_settingDescription="This setting is designed to ensure that shell extensions 
can operate on a per-user basis, if you enable this setting, Windows is directed to 
only run those shell extensions that have either been approved by an administrator 
or that will not impact other users of the machine. <br/><br/&gt:A shell 
extension only runs if there is an entry in at least one of the following locations 
in registry. <br/><br/>For shell extensions that have been approved by 
the administrator and are available to all users of the computer, there must be an 
entry at HKEY_LOCAL_MACHlNE\Software\Microsoft\Windows\CurrentVersion\Shell 
Extensions\Approved.<br/><br/>For shell extensions to run on a per-user 
basis, there must be an entry at 

HKEY_cURRENT_usER\software\Microsoft\Windows\currentversion\shell 
Extensions\Approved." gpmc_supported="At least Microsoft windows 2000">Allow only 
User U Settings?/t^</tr> extensions</a></td><td>Enab " led </ td ><td>Li ghtl yManaged 
<trxtdxa class="explainl ink" href="iavascript:void() ; " 

onclick="iavascript:showExplainText(this); return false;" gpmc_settingName="Do not 
request alternate credentials" gpmc_settingPath="user Configuration/Administrative 
Templates/Windows Components/Windows Explorer" gpmc_settingDescription=" Prevents 
users from submitting alternate logon credentials to install a 

program. <br/>&Tt;br/>This setting suppresses the &quot; Install Program 
as other user&qupt; dialog box for local and network installations. This dialoq 
box, which prompts the current user for the user name and password of an 
administrator, appears when users who are not administrators try to install proqrams 
locally on their computers. This setting allows administrators who have loqqed on as 
regular users to install programs without logging off and logging on again usinq 
their administrator credentials. <br/>&Tt;br/>Many programs can be installed 
only by an administrator, if you enable this setting and a user does not have 
sufficient permissions to install a program, the installation continues with the 
current user s logon credentials. As a result, the installation might fail, or it 
might complete but not include all features. Or, it might appear to complete 
successfully, but the installed program might not operate 

correctly. <br/&gt ;<br/>lf you disable this setting or do not configure it 
the &quot; install Program As other user&quot ; dialog box appears whenever 
users install programs locally on the compute r.<br/><br/> By default, 
users are not prompted for alternate logon credentials when installing programs from 
a network share, if enabled, this setting overrides the &quot; Request 
credentials for network install ations&quot; setting." gpmc_supported="At least 
Microsoft Windows 2000">Do not request alternate 

credent! al s</ ax/tdxtd>Enabl ed</tdxtd>Li ghtl yManaged user Setti nqs</tdx/tr> 
<tr><tdxa class= "explainlink" href="iavascript:void() ; " 

onclick= , javascnpt:showExplainText(this); return false;" gpmc_settingName="Hides 



Snf?nnri*,-^/T^ 0 " * h f Windows Explorer context menu" gpmc_settingPath="user 
nZt £ES °" /Admi . m ? tra ? ve Tempi ates/wi ndows Components/Wi ndows Explorer" 
SEE - XK n ?ES-vJ pt10n,B Removes Manage item from the windows SplSrSr context 
Sutlr lit brMat m Il?-b^In, rS Th he S V ° U ick WindoWS Ex P lorer or V 

20 y 00 

tool s.<br/><br/&qt; This setting does not remove the Computer Manaaement 
item from the start menu (Start, Programs, Administrative Tools Computer 9 
Management) nor does it prevent users from using other methods to 5^ 0™.™^ 
Management. <br/><br/>Tip: To hide alT contex^menus Sse ?he Computer 
S : ^n^ R ^T^^V dows borer's default context menu&amp?q2ot; seeing " 
gpmc_supported="At least Microsoft windows 2000">Hides the Manaae item on the 

Se«ings</?d></t r r" nteXt menu </ a ></ td ><^>Enabled</td><td>Ligh??yMaJag^ 

<tr><tdxa cl ass="expl ai nl i nk" h ref="iavascr i pt : voi d() : " 

onclick= javascnpt:showExplainText(this); return false:" qpmc settinaName-"Nn 
&quot; Entire Network&quot; in My Network Place!' gX iSinqPa^-"user 
Conf l gurati on/Admi ni strati ve Tempi ates/wi ndows Components/wi ndows Ex?>l Ser" 
gpmc settTng D escription="Removes all computers outride of the user ! s workgroup or 

Places &??-br/S-Il? t br/L? e T r rk reso " rces J n w ^dows Explorer'and My Kork 
Kiaces.&ir,Dr/&gt,&lt,br/&gt If you enable this settinq, the svstem removp*: rhp 

Placel an a W f^°?S:°h and the ic °? S ^P r ^^ting networked coSSSs from My Network 
Places and from the browser associated with the Map Network Drive 
option <br/><br/>This setting does not prevent users from viewina or 
fr!T^ ing ^° com P uters in t^ir workgroup or domaih. it also does not prevent Lers 
from connecting to remote computers by other commonly used methods such tl bv 

tlx ^t-br/l^'Il^r/r^l 6 Run dl ' alog box or the Ma P NetwSrk Drive dialog * 
i?o;f V r /*9t;<br/>To remove computers in the user's workqroup or domain from 
lists of network resources, use the &quot;No &quot; Computers Near 
Me&quot; in My Network Places&quot; setting.* tX/&g?;&l^br/Iq[ -Note • it 
cer^if^ST f % thi : d "P^ty applications with windows 2000 oblate? ' 
! SSSi ^Sot^ntlrrSeSor^uo^n^M N « PP ° rted -" At leaSt Wi " d ™ s 

l~ u h br / & 9 t « &lt ., br />This setting removes the Hardware tab from Mouse 

^&^'r a h d * S0Und ^ and Audi< ? Devic " in C0 " tr °l Panel, it also removes the 
Hardware tab from the Properties dialog box for all local drives includina hard 
drives, floppy disk drives, and CD-ROM drives. As a result, users cSnnot ule the 
Trn^th^ ^V eW ° r cha V9 e the device list or device proxies ™ use the 
M^^rSIoft^SinS^oSS-^e^ EZSSl ^ ^ ' "Vcsupporte^AtMast 

</tab^J /td><td>Enab1 ed< / td><td>Ll 'ghtl yManaged User setti ngs</tdx/tr> 

</divx/div><div class="he3"xspan class="sectionTitle" tabindex-"0">wi ndows 
Components/windows Install er</spanxa class="expando" href="#"x/ax/diC> 
JellsplSnpS"^ 1 " 6 ' ><diV class ="he4i"xtable P C lass="info3" cel?padding="0" 
G^Ah></? r > = " C01 " >P01 ic y </th><th scope="col ">setting</thxth scope="col ">winning 
<tr><tdxa class="explainlink" href="iavascript :voidO • " 

media" llrh i«rn J^c r/ §? t;lf * user tri , es to install a program from removable 
installation is running in the user's security context. <b°/><br/&g?; if you 



whln"he t i^tIl?Ii?l„ 0 1 r s d ?unninS°?r?^?- 1 ' t: - USePS ^ ,nsta11 from removable media 
administrat ed use removabll media wheHnln^al Lt?5: e ?< ' but .°" 1 >'. 

</table> 




G t P0:/ < t t h></?f r ' ' C01 " >Setti n 9< /th >< th »«»Pe-"col ">State</thxth scope=»col ">wi nni ng 
<tr><td>software\Policies\Microsoft\windows\Network 

s^in^^trT^^"^^ user 
</table> 

</di vx/di vx/di vx/di v> 
</div> 

</bodyx/htm1> 



APPENDIX D 

XML for RSoP (FIG. 19) 



<?xml version="1.0" encoding="utf-16" ?> 
- <Rsop xmlns:xsd=' http://www.w3.org/2001/XMLSchema" 
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance" 
xmlns= http://www.microsoft.com/GroupPolicy/Rsop"> 

<ReadTime>2003-06-27T23:43:44.2307248-07:00</ReadTime> 
<DataType>LoggedData</DataType> 
- <UserResults> 

<Version>2228227</Version> 

<Name>GPMCDEMO\anthonyc</Name> 

<Domain>GPMCDemo.com</Domain> 

< rn > aged< C / SOMr COm/COrP HMd « uarte "/""' Accounts/Lightly 

<Site>Default-First-Site-Name</Site> 

- <SearchedSOM> 

<Path>GPMCDemo.com/Corp Headquarters/User Accounts/ Lightly 
Managed</Path> a y 

<Type>OU</Type> 
<0rder>6</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
<Reason>Normal</Reason> 
</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.com</Path> 

<Type>Domain</Type> 

<0rder>3</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
<Reason>Normal</Reason> 
</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.com/Configuration/Sites/Default-First-Site- 

Name</Path> ~ ~ 

<Type>Site</Type> 
<0rder>2</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
< Reason > Normal </Reason> 
</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.com/Corp Headquarters/User Accounts</Path> 

<Type>OU</Type> 
<0rder>5</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
<Reason>Normal</Reason> 
</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.c m/Corp Headquarters</Path> 

<Type>OU</Type> 
<0rder>4</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
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<Blocked>false</Blocked> 

< Reason > Normal </Reason> 
</SearchedSOM> 
<SearchedSOM> 

< Path > Local </Path> 

< Ty pe > Lo ca I < /Ty pe > 
<0rder>K/0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 

< Reason > Normal </Reason > 
</SearchedSOM> 
<SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types M >S-l-5-21- 
3236881260-3653063036-2003513472-513</SID> 

<Name 

xmlns= , 'http://www.microsoft.com/GroupPolicy/Types">GPMCDEMO\Domain 

Users</Name> 

</SecurityGroup> 
<SecurityGroup> 

<SID xmlns= M http://www.microsoft.com/GroupPolicy/Types">S-l-l- 

0</SID> 
<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types">Everyone</Name> 

</SecurityGroup> 
<SecurityGroup> 

<SID xmlns="http:// www. microsoft.com/GroupPolicy/Types" >S- 1-5-32- 

555</SID> 

<Name 

xmlns = "http:// www. microsoft. com/GroupPolicy/Types">BUILTIN\Remote 

Desktop Users</Name> 
</SecurityGroup> 
<SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types ,, >S-l-5-32- 

545</SID> 
<Name 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> BUILTIN\Users</Narr:e 

</SecurityGroup> 
<SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-l-5-32- 

554</SID> 
<Name 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> BUILTIN\Pre- 
Windows 2000 Compatible Access</Name> 

</SecurityGroup> 
<SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-l-5- 

4</SID> 

<Name xmlns = "http://www.microsoft.c m/GroupPolicy/Types">NT 
AUTHORITY\INTERACTIVE</Name> 

</SecurityGroup> 
<SecurityGroup> 

<SID xmlns = "http://www.micros ft.com/Gr upPolicy/Types">S-l-5- 

11</SID> 
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<Name xmlns= , http://www.microsoft.com/GroupPolicy/Types">NT 
AUTHORITY\Authenticated Users</Name> 

</SecurityGroup> 

- <SecurityGroup> 

<SID xmlns="http://www. micros ft.com/GroupPolicy/Types' >S- 1-5- 

15</SID> 

<Name xmlns="http://www,microsoft.com/GroupPolicy/Types">NT 
AUTHORITY\This Organization </Name> 
</5ecurityGroup> 

- <SecurityGroup> 

<SID xmlns=' http://www.microsoft.com/GroupPolicy/Types M >S-l-2- 

0</SID> 
<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types M >LOCAL</Name> 

</SecurityGroup> 
<SlowLink>false</SlowLink> 

- <ExtensionStatus> 

<Name> Registry </Name> 

<Identifier>{35378EAC-683F-llD2-A89A-00C04FBBCFA2}</Identifier> 

<BeginTime>2003-06-27T23:40:19.0000000-07:00</BeginTime> 

<EndTime>2003-06-27T23:40:21.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 
</ExtensionStatus> 

- <ExtensionStatus> 

<Name>Group Policy Infrastructure</Name> 

<Identifier>{00000000-0000-0000-0000-000000000000}</Identifier> 

<BeginTime>2003-06-27T23:40:17.0000000-07:00</BeginTime> 

<EndTime>2003-06-27T23:40:22.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 
</ExtensionStatus> 

- <ExtensionStatus> 

<Name>Internet Explorer Branding</Name> 

<Identifier>{A2E30F80-D7DE-lld2-BBDE-00C04F86AE3B}</Identifier> 

<BeginTime>2003-06-27T23:40:21.0000000-07:00</BeginTime> 

<EndTime>2003-06-27T23:40:22.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 
</ExtensionStatus> 

- <ExtensionStatus> 

<Name>Folder Redirection</Name> 

<Identifier>{25537BA6-77A8-llD2-9B6C-0000F8080861></Identifier> 

<BeginTime>2003-06-27T23:40:21.0000000-07:00</BeginTime> 

<EndTime>2003-06-27T23:40:21.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 
</ExtensionStatus> 

- <GPO> 

<Name>Default Domain Policy</Name> 
- <Path> 

<Identifier xmlns=" http://www.micr soft.c m/GroupPolicy/Types"> 
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{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/Gr upP licy/Types H >gpmcdem .c m</Don 
</Path> 

<VersionDirectory>l</VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com</SOMPath> 

<SOMOrder>3</SOMOrder> 
<Applied0rder>2</Applied0rder> 
<Link0rder>4</Link0rder> 
<Enabled>true</Enabled> 
<NoOverride>false</NoOverride> 
</Link> 
</GPO> 

- <GPO> 

<Name>WW ITG Policy</Name> 

- <Path> 

<Identifier xmlns= 'http://www. microsoft.com/GroupPolicy/Types"> 
{9DE1E409-B0BF-4ECF-BCE1-F18B828768B4}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</Don 

</Path> 

<VersionDirectory>l</VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com</SOMPath> 
<S0M0rder>2</S0M0rder> 
<AppliedOrder>5</AppliedOrder> 
<LinkOrder>3</LinkOrder> 

< Enabled >true</Enabled> 

< NoOverride > true</NoOverride > 
</Link> 

</GPO> 

- <GPO> 

<Name>WW EFS Recovery Policy</Name> 

- <Path> 

<Identifier xmlns= M http://www.microsoft.com/GroupPoIicy/Types M > 
{7FB311EA-A625-4FC7-AA2D-E49880A31B53}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</Don 

</Path> 

<VersionDirectory>l</VersionDirectory> 
<VersionSysvol>l</VersionSysvol> 
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<Enabled>true</Enabled> 
<IsValid>true</IsValid> 
<FilterAllowed>true</FilterAllowed> 
<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo,com</SOMPath> 
<SOMOrder>l</SOMOrder> 
<AppliedOrder> 1</Applied0rder> 
<LinkOrder>2</LinkOrder> 
<Enabled>true</Enabled> 

<NoOverride>false</NoOverride> 
</Link> 
</GPO> 
- <GPO> 

<Name>LightlyManaged User Settings</Name> 

- <Path> 

<Identifier xmlns="http://www.microsoft.com/GroupPolicy/Types M > 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</Pa X th> S= http://wWW ' microsoft - com/GroupPo,k 

<VersionDirectory>l</VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 

< Is Va I id > true </IsVa lid > 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com/Corp Headquarters/User 
Accounts/Lightly Managed</SOMPath> 

<S0M0rder>K/S0M0rder> 
<Applied0rder>4</Applied0rder> 
<Link0rder>6</Link0rder> 
<Enabled>true</Enabled> 

<NoOverride>false</NoOverride> 
</Link> 
</GPO> 
■ <GPO> 

<Name>Common Managed Settings</Name> 

- <Path> 

<Identifier xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M > 

{82B535FA-647B-4991-85FC-6041C3FE4582}</Identifier> 

<Domain 

<VersionDirectory>l</VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 
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<SOMPath>GPMCDemo.com/Corp Headquarters/User 

Accounts</SOMPath> 
<SOMOrder>l</SOMOrder> 
<AppliedOrder>3</AppliedOrder> 
<LinkOrder>5</LinkOrder> 
<Enabled>true</Enabled> 
< NoOverride >false </NoOverride > 
</Link> 
</GPO> 

- <GPO> 

<Name>Local Group Policy</Name> 

- <Path> 

<Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> ^ 

</Path> 

<VersionDirectory>0</VersionDirectory> 

<VersionSysvol>0</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>Local</SOMPath> 
<SOMOrder> l</SOMOrder> 
<AppliedOrder>0</AppliedOrder> 
<LinkOrder> 1</Link0rder> 
<Enabled>true</Enabled> 
<NoOverride>false</NoOverride> 
</Link> 
</GPO> 

- <ExtensionData> 

- <Extension 

xmlns:ql= ,, http://www.microsoft.com/GroupPolicy/Settings/Registry M 
xsi:type = "ql:RegistrySettings" 

xmlns="http:// www. microsoft.com/GroupPolicy/Settings"> 

- <ql:Policy> 
- <GPO 

xmlns= n http://www.microsoft.com/GroupPoIicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 
{B8523A61~8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

xmlns = "http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns = 'http://www.microsoft.com/GroupPolicy/Settings/Base ">1</Preceder 
<ql:Name>Show only specified Control Panel applets</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Hides all Control Panel items and folders except 
th se specified in this setting. \n\nThis setting removes all 
C ntrol Panel items (such as Network) and f Iders (such as 
Fonts) fr m the Control Panel wind w and the Start menu. It 
removes C ntrol Panel items you have added to your system, 
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as well the Contr I Panel items included in Wind ws 2000 and 
Windows XP Professi nal. The only items displayed in Control 
Panel are those you specify in this setting. \n\nTo display a 
Contr I Panel item, type the file name f the item, such as 
Ncpa.cpl (for Network). To display a folder, type the folder 
name, such as Fonts. \n\nThis setting affects the Start menu 
and Control Panel wind w only. It does not prevent users from 
running any Control Panel items. \n\nAlso, see the "Remove 
Display in Control Panel" setting in User 
Configuration\Administrative Templates\Control 
Panel\Display.\n\nIf both the "Hide specified Control Panel 
applets" setting and the "Show only specified Control Panel 
applets" setting are enabled, the "Show only specified Control 
Panel applets" setting is ignored. \n\nTip: To find the file name 
of a Control Panel item, search for files with the .cpl file name 
extension in the %Systemroot%\System32 
directory. </ql: Explain > 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql: Category >Control Panel </ql:Category> 

- <ql:ListBox> 

<ql:Name>List of allowed Control Panel applets</ql:Name> 
<ql:State>Enabled</ql:State> 
<ql : ExplicitValue>false</ql :ExplicitValue> 
<ql:Additive>false</ql:Additive> 
<ql:ValuePrefix /> 
- <ql:Value> 

- <ql:Element> 

<ql: Data >desk.cpl</ql: Data > 
</ql:Element> 

- <ql:Element> 

< q 1 : Data > app wi z -cpl </q 1 : Data > 
</ql:Element> 

- <ql:Element> 

<ql;Data>access.cpl</ql:Data> 
</ql:Element> 

- <ql:Element> 

<ql:Data>main.cpl</ql:Data> 
</ql:Element> 
</ql:Value> 
</ql:ListBox> 

- <ql:Text> 

<ql:Name>To create a list of allowed Control Panel applets, 
click Show,</ql:Name> 

</ql:Text> 

- <ql:Text> 

<ql:Name>then Add, and enter the Control Panel file name 
(ends with .cpl)</ql:Name> 
</ql:Text> 

- <ql:Text> 

<ql:Name>or the name displayed under that item in the 
Contr I Panel. </ql:Name> 
</ql:Text> 

- <ql:Text> 
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<ql:Name>(e.g. / desk.cpl, powercfg.cpl, Printers)</ql:Name> 

</ql:Text> 
</ql:Policy> 
- <ql:Policy> 
- <GPO 

xmlns=='http://www.micros ft.c m/GroupP licy/Settings/Base"> 

< Identifier 

xmlns= M http://www.microsoft.com/GroupPoIicy/Types'> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types H >gpmcdemo.com 

</GPO> ~* ; 

<Precedence 

xmlns='http://www.microsoft.com/GroupPolte^^ 
<ql:Name>Hide Add/Remove Windows Components 

page</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql:Explain>Removes the Add/Remove Windows Components 
button from the Add or Remove Programs bar. As a result, 
users cannot view or change the associated page.\n\nThe 
Add/Remove Windows Components button lets users configure 
installed services and use the Windows Component Wizard to 
add, remove, and configure components of Windows from the 
installation files.\n\nlf you disable this setting or do not 
configure it, the Add/Remove Windows Components button is 
available to all users. \n\nThis setting does not prevent users 
from using other tools and methods to configure services or 
add or remove program components. However, this setting 
blocks user access to the Windows Component 
Wizard. </ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Control Panel/Add or Remove 
Programs</ql :Category> 
</ql:Policy> 
- <ql:Policy> 
- <GPO 

xmlns= n http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns= M http://www.microsoft.com/GroupPolicy/Types'> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= http://WWW ' miCrOSoft ' com/GroupPolk 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base M >K/Preceder 
<ql:Name>Hide the "Add a program from CD-ROM or floppy disk" 

option</ql:Name> 

< q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Removes the "Add a program from CD-ROM or floppy 
disk" section from the Add New Programs page. This prevents 
users from using Add or Rem ve Programs to install programs 
from removable media. \n\nlf you disable this setting or do not 
configure it, the "Add a program from CD-ROM or floppy disk" 
option is available t all users.\n\nThis setting does n t 
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prevent users from using other tools and methods to add or 

remove program comp nents.\n\nNote: If the "Hide Add New 
Programs page" setting is enabled, this setting is ignored. Also, 
if the "Prevent removable media s urce for any install" setting 
(located in User Configuration \Administrative 
Templates\Windows Components\Windows Installer) is 
enabled, users cann t add programs fr m rem vable media, 
regardless f this setting. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Control Panel/Add or Remove 
Programs</ql :Category> 
</ql : Policy > 

- <ql:Policy> 
- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= ' ,http://WWW ' micr0soft - com/Grou P Polic y/ T yP es ">gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<ql:Name>Hide the "Add programs from Microsoft" /^eceaer 

option</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql:Explain> Removes the "Add programs from Microsoft" section 
from the Add New Programs page. This setting prevents users 
from using Add or Remove Programs to connect to Windows 
Update. \n\nlf you disable this setting or do not configure it, 
"Add programs from Microsoft" is available to all 
users.\n\nThis setting does not prevent users from using other 
tools and methods to connect to Windows Update.\n\nNote: If 
the "Hide Add New Programs page" setting is enabled, this 
setting is ignored. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Control Panel/Add or Remove 
Programs</ql:Category> 
</ql:Policy> 

- <ql:Policy> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= ' http://wwW - microsoft - com/Grou P Po,ic y/ T yP es ">9Pmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<ql:Name>Specify default category for Add New /rreceoer 

Programs</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Specifies the category f programs that appears 
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when users pen the "Add New Programs" page.\n\nlf y u enable 
this setting, only the programs in the category you specify are 
displayed when the "Add New Pr grams" page opens. Users 
can use the Category box on the "Add New Programs" page to 
display programs in other categories.\n\nTo use this setting, 
type the name of a category in the Category box for this 
setting. You must enter a category that is already defined in 
Add or Remove Programs. To define a category, use Software 
Installation. \n\nlf you disable this setting or do not configure 
it, all programs (Category: All) are displayed when the "Add 
New Programs" page opens.\n\nYou can use this setting to 
direct users to the programs they are most likely to 
need.\n\nNote: This setting is ignored if either the "Remove 
Add or Remove Programs" setting or the "Hide Add New 
Programs page" setting is enabled.</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Control Panel/Add or Remove 
Programs</ql :Category> 

- <ql:EditText> 

<ql:Name>Category:</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql : Value>Custom Applications</ql : Value> 
</ql:EditText> 
</ql:Policy> 
<ql:Policy> 

- <GPO 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types'> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

< Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com<y 

</GPO> 

< Precedence 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<ql:Name>Hide Settings tab</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql;Explain>Removes the Settings tab from Display in Control 
Panel. \n\nThis setting prevents users from using Control Panel 
to add, configure, or change the display settings on the 
computer. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000 </ql: Supported > 

<ql:Category>Control Panel/Display</ql:Category> 

/ql:Policy> 

ql:Policy> 

<GPO 

xmlns='http://www.microsoft.com/GroupPolicy/Settings/Base M > 

identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

xmlns="http://www.micr soft.com/Gr upPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 
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xmlns="http://www.micr s ft.c m/GroupPolicy/Settings/Base«>K/Precedence> 
<ql:Name>Screen Saver </ql:Name> «.euence;> 

<ql:State>Enabled</ql:State> 

<ql:Explain>Enables desktop screen savers.\n\nlf y u disable 
this setting, screen savers d not run. Also, this setting 
disables the Screen Saver section of the Screen Saver tab in 
Display in Control Panel. As a result, users cannot change the 
screen saver options.\n\nIf y u do not configure it, this 
setting has no effect on the system. \n\nlf you enable it, a 
screen saver runs, provided the following two conditions hold: 
First, a valid Screensaver on the client is specified through the 
Screensaver executable name" setting or through Control 
Panel on the client computer. Second, the Screensaver timeout 
is set to a nonzero value through the setting or Control 
Panel. \n\nAlso, see the "Hide Screen Saver tab" 
setting. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000 Service Pack 
l</ql:Supported> 

<ql : Category > Control Panel/Display</ql rCategory > 
</ql:Policy> 
<ql: Policy > 
- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

< Domain 

</GP0> S= " httP://WWW,miCrOSOft ' com/Grou P Polic y/Types">gpmcdemo.com</ 

< Precedence 

<ql.Name>Screen Saver executable name</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql: Explain >Specifies the screen saver for the user's 
desktop.\n\nIf you enable this setting, the system displays the 
specified screen saver on the user's desktop. Also, this setting 
disables the drop-down list of screen savers on the Screen 
Saver tab in Display in Control Panel, which prevents users 
from changing the screen saver.\n\nlf you disable this setting 
or do not configure it, users can select any screen saver.\n\nlf 
you enable this setting, type the name of the file that contains 
the screen saver, including the .scr file name extension. If the 
screen saver file is not in the %Systemroot%\System32 
directory, type the fully qualified path to the file.\n\nlf the 
specified screen saver is not installed on a computer to which 
this setting applies, the setting is ignored.\n\nNote: This 
setting can be superseded by the "Screen Saver" setting. If the 
Screen Saver" setting is disabled, this setting is ignored, and 
screen savers do not run. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000 Service Pack 
l</ql: Supported > 

<ql : Category > Control Panel/Display</ql :Category > 

<ql:EditText> 

<ql:Name>Screen Saver executable name</ql:Name> 
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<ql:State>Enabled</ql:State> 
<ql : Value>scrnsave.scr</ql : Value> 
</ql:EditText> 
</ql: Policy > 

- <ql:Policy> 
- <GPO 

xmlns="http://www.micr soft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</GPO> S= ,http://www,microsoft - com/Grou P Polic y/ T ypes">gpmcdemoxom</ 

< Precedence 

xmlns= l 'http://www.microsoft.com/Grou P Policy/Settings/Base">l</Preceder 
<ql:Name>Do not add shares of recently opened documents to '™cea& 

My Network Places</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql:Explain>Remote shared folders are not added to My Network 
Places whenever you open a document in the shared 
folder.\n\nIf you disable this setting or do not configure it, 
when you open a document in a remote shared folder, the 
system adds a connection to the shared folder to My Network 
Places.\n\nlf you enable this setting, shared folders are not 
added to My Network Places automatically when you open a 
document in the shared folder.</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql :Category> Desktop</ql : Category > 
</ql:Policy> 

- <ql:Policy> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Ident.fier> 

<Domain 

</GPO> S= , ' http://WWW - miCrOSOftCOm/Grou P Po,ic y/ T yP es ' , >9Pmcdemo.com</ 

< Precede nee 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Prevent adding, dragging, dropping and closing the /Preceder 

Taskbar's toolbars</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql: Explain > Prevents users from manipulating desktop 
toolbars.\n\nIf you enable this setting, users cannot add or 
remove toolbars from the desktop. Also, users cannot drag 
toolbars on to or off of docked toolbars.\n\nNote: If users 
have added or removed toolbars, this setting prevents them 
from restoring the default configuration. \n\nTip: To view the 
toolbars that can be added t the deskt p, right-click a d eked 
toolbar (such as the taskbar beside the Start button), and point 

to T olbars."\n\nAlso, see the "Prohibit adjusting desktop 
t olbars" setting.</ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
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<ql:Category>Desktop</ql:Category> 
</ql:Policy> 

- <ql: Policy > 
- <GPO 

<Td l entifie" P://WWW " miCr S ° ft " C m/Grou P Po,icv / Sett ''n9s/Base"> 

xmlns="http://www.microsoft.c m/GroupPolicy/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GTOr =httP://WWW " miCrOSOft - COm/GrOUpPo,ic ^ 

< Precedence 

<ql:Name> Prohibit user from changing My Documents /^receaer 

path</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from changing the path to the My 
Documents folder. \n\nBy default, a user can change the 
location of the My Documents folder by typing a new path in 
the Target box of the My Documents Properties dialog 
box.\n\nIf you enable this setting, users are unable to type a 
new location in the Target box.</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Desktop</ql:Category> 
</ql:Policy> 

- <ql:Policy> 

- <GPO 

iTdentlfie" P://WWW * miCr ° SOft ' COm 

xmlns= 'http://www.microsoft.com/GroupPolicv/TvDes"> 

{9DE1E409.B0BF-4ECF.BCE1-F18B828768B4></Ident.fier> 

< Domain 

</GTOr = " httP://WWW " mjCrOS ° ft,COm/GrOUpPolic ^ 

<Precedence 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base">l</Preceder 
<ql:Name>Remove Properties from the Recycle Bin context ^/^ceder 

menu</ql:Name> 

< q 1 : State > Enab led </q 1 : State > 

<ql:Explain>Removes the Properties option from the Recycle Bin 
context menu.\n\nlf you enable this setting, the Properties 
option will not be present when the user right-clicks on Recycle 
Bin or opens Recycle Bin and then clicks File. Likewise, Alt- 
Enter does nothing when Recycle Bin is selected.\n\nlf you 
disable or do not configure this setting, the Properties option is 
displayed as usual.</ql:Explain> 

<ql:Supported>At least Microsoft Windows XP Professional or 
Windows Server 2003 family</ql : Supported > 

< q 1 : Catego ry > Desktop </q 1 : Categ o ry > 
</ql: Policy > 

- <ql:Policy> 

- <GP0 

iTdentlfie" P://WWW ' miCr ° S ftcom/Gr u P p "cy/Settings/Base 1 ^ 
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xmlns="http://www.micr s ft.com/GroupPolicy/Types "> 

•CB8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

< Domain 

</GPO> S= " http://WWW - microsoft com/Grou P Po,ic y/Types">gpmcdemo.c m</ 

<Precedence 

xmlns="http://vyww.micros ft.com/GroupPolicy/Settings/Base">K/Preceder 
<ql:Name>Prohibit access to the Advanced Settings item on the /Kreceder 

Advanced menu</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Determines whether the Advanced Settings item on 
the Advanced menu in Network Connections is enabled for 
administrators.\n\nThe Advanced Settings item lets users view 
and change bindings and view and change the order in which 
the computer accesses connections, network providers, and 
print providers. \n\nlf you enable this setting (and enable the 
Enable Network Connections settings for Administrators- 
setting), the Advanced Settings item is disabled for 
administrators. \n\nImportant: If the "Enable Network 
Connections settings for Administrators" is disabled or not 
configured, this setting will not apply to administrators on 
post-Windows 2000 computers. \n\nlf you disable this setting 
or do not configure it, the Advanced Settings item is enabled 
for administrators.\n\nNote: Nonadministrators are already 
prohibited from accessing the Advanced Settings dialog box 
regardless of this setting. </ql; Explain > * ' 

<ql:Supported>At least Microsoft Windows 2000 Service Pack 
l</ql:Supported> 

<ql Category > Network/Network Connections</ql:Cateqory> 

</ql: Policy > 

- <ql:Policy> 
- <GP0 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns= "http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</GPO> S= ,http://www - microsoftcom/Grou P Polic y/ T ypes">gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Prevent use of Offline Files folder</ql:Name> /^eceaer 

< q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Disables the Offline Files folder.\n\nThis setting 
disables the "View Files" button on the Offline Files tab. As a 
result, users cannot use the Offline Files folder to view or open 
copies of network files stored on their computer. Also, they 
cannot use the folder to view characteristics of offline files 
such as their server status, type, or location.\n\nThis setting 
does not prevent users from working offline or from saving 
local copies of files available ffline. Also, it does n t prevent 
them from using ther pr grams, such as Wind ws Explorer, t 
view their ffline files. \n\nThis setting appears in the 
Computer C nfiguration and User Configuration folders. If b th 
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settings are configured, the setting in C mputer Configuration 
takes precedence over the setting in User 
Configurati n.\n\nTip: To view the Offline Files Folder, in 
Windows Explorer, on the Tools menu, click Folder Options 
click the Offline Files tab, and then click "View 
Files."</ql:Explain> 
<ql: Supported At least Micros ft Windows 2000</ql:Supported> 
<ql .-Category > Network/Offline Files</ql .Category > 
</ql : Policy > 

- <ql:Policy> 
- <GPO 

iTdentlfie" P://WWW " m,CrOSOft ' C ° m/GrOUpP 
xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 

</GPoi nS= " httP://WWWmiCrOSOftCOm/GrOU ^ 

< Precedence 

<ql.Name>Proh.bit user configuration of Offline Files</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from enabling, disabling, or changing 
the configuration of Offline Files.\n\nThis setting removes the 
Offline Files tab from the Folder Options dialog box. It also 

Inn H V r S K, he f u ett L n 9 s . item fr <»" ^e Offline Files context menu 
and disables the Settings button on the Offline Files Status 
dialog box. As a result, users cannot view or change the 
options on the Offline Files tab or Offline Files dialog 
box.\n\nThis is a comprehensive setting that locks down the 
configuration you establish by using other settings in this 
»«h n AnX " Th j s settina aPPears in the Computer Configuration 
S?J ?c«« r Conf '9 uration fold ers. If both settings are configured, 
the setting in Computer Configuration takes precedence over 
the setting in User Configuration.\n\nTip: This setting provides 
a quick method for locking down the default settings for Offline 
Files. To accept the defaults, just enable this setting. You do 

not have to disable any other settings in this 

folder.</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category> Network/Offline Files</ql:Categorv> 

- <ql:Text> 

<ql:IMame> Prevents users from changing any cache 
configuration settings. </ql:Name> 
</ql:Text> 
</ql: Policy > 
- <ql:Policy> 

- <GPO 

xmlns="http://www.microsoft.com/GroupP licv/TvDes"> 

<Do^if A61 " 8M2 - 4913 - 8B00 - 7DCA9946O2D< :><~ 

xmlns= "http://www.iTiicrosoft.com/Gr upPolicy/Types"> B pmcdemo.c m</ 
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</GPO> 
< Precedence 

xmlns="http://www.microsoftxom/GroupPolicy/Settings/Base">l</Preced 
<ql:Name> Remove 'Make Available Offline'</qi:Name> A</Kreceaer 

<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from making network files and 
folders available offline. \n\nThis setting rem ves the "Make 
Available Offline" option from the File menu and from all 
context menus in Windows Explorer. As a result, users cannot 
designate files to be saved on their computer for offline 
use.\n\nHowever, this setting does not prevent the system 
from saving local copies of files that reside on network shares 
designated for automatic caching.\n\nThis setting appears in 
the Computer Configuration and User Configuration folders. If 
both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration. </ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Network/Offline Files </ql: Category > 
</ql: Policy > 

<ql:Policy> 

- <GPO 

^Tdentlfie^ 

xmlns= "http://www.microsoft.com/GroupPolicv/TvDes"> 
< < o B 8 a 5 23A61-8642.4913-8B00-7DCA994602DCWIdentifier> 

</GPO> S ~ 
< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Synchronize all offline files before logginq /""eceaer 

off</ql:Name> 99 9 

<ql:State>Enabled</ql:State> 

<ql: Explain > Determines whether offline files are fully 
synchronized when users log off.\n\nThis setting also disables 

£! o«r cT iZe 3 u 0ffMne fil6S before '°99 in 9 off " 0 P«on on 
the Offline Files tab. This prevents users from trying to change 

the option while a setting controls it.\n\nlf you enable this 

setting, offline files are fully synchronized. Full synchronization 

ensures that offline files are complete and current. \n\nlf you 

disable this setting, the system only performs a quick 

synchronization. Quick synchronization ensures that files are 

complete, but does not ensure that they are current.\n\nlf you 

do not configure this setting, the system performs a quick 

synchronization by default, but users can change this 

»nS n n ;} n ) nT i iS Se " in9 aDDears in th e Computer Configuration 
and User Configuration folders. If both settings are configured, 
the setting in Computer Configuration takes precedence over 
the setting in User Configuration.\n\nTip: To change the 
synchronization method without changing a setting, in 
Windows Expl rer, on the Tools menu, click F Ider Opti ns 

th e e , 0ff ' me Fj,es ^b, and then select the "Synchronize all 
offline files before logging off" option. </ql: Explain > 
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<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category> Network/Offline Files</ql:Category> 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

<B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

* /^' nS= " http:// wwwmicr °soft.com/GroupPolicy/Types">gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<ql:Name>Add Logoff to the Start Menu</ql:Name> 

<q 1 : State > Enabled </q 1 : State > 

<ql: Explain > Adds the "Log Off <username>" item to the Start 
menu and prevents users from removing it.\n\nlf you enable 
this setting, the Log Off <username> item appears in the Start 
menu. This setting also removes the Display Logoff item from 
Start Menu Options. As a result, users cannot remove the Log 
Off <username> item from the Start Menu.\n\nlf you disable 
this setting or do not configure it, users can use the Display 
Logoff item to add and remove the Log Off item.\n\nThis 
setting affects the Start menu only. It does not affect the Log 
Off item on the Windows Security dialog box that appears 
when you press Ctrl+Alt+Del.\n\nNote: To add or remove the 
Log Off item on a computer, click Start, click Settings, click 
Taskbar and Start Menu, click the Start Menu Options tab, and 
then, in the Start Menu Settings box, click Display 
Logoff. \n\nAlso, see "Remove Logoff" in User 
Configuration\Administrative 
Templates\System \ Logon/ Logoff. </ql : Explain > 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Start Menu and Taskbar</ql:Category> 
</ql:Policy> 
- <ql: Policy > 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

w / D J ns -' http://www ' microsoft 'Coni/GroupPolicy/Types»>gpn,cd e nio.co m </ 

< Precedence 

xmlns= 1 http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
< q 1. -Na me > Force classic Start Menu</ql:Name> 

<ql : State > Enabled </q 1 : State > 

<ql: Explain >This setting effects the presentation of the Start 
menu.\n\nThe classic Start menu in Wind ws 2000 
Professional allows users to begin c mmon tasks, while the 
new Start menu cons lidates comm n items nto one menu. 
When the classic Start menu is used, the f Mowing ic ns are 
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placed on the desktop: My D cuments, My Pictures, My Music My 
C mputer, and My Network Places. The new Start menu starts 
them directly.\n\nlf you enable this setting, the Start menu 
displays the classic Start menu in the Windows 2000 style and 
displays the standard desktop ic ns.\n\nlf you disable this 
setting, the Start menu only displays in the new style, meaning 
the deskt p icons are now n the Start page.\n\nlf you do n t 
configure this setting, the default is the new style, and the user 
can change the view.</ql:Explain> 
<ql:Supported>At least Microsoft Windows XP Professional or 

Windows Server 2003 family</qi:Supported> 
<ql:Category>Start Menu and Taskbar</ql .Category > 

</ql: Policy > 

<ql:Policy> 

- <GP0 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns= "http://www.microsoft.com/GroupPolicv/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</GPO> S= ,,http://WWW - microsoft - com/Grou P p ° ,ic y/Types»>gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Gray unavailable Windows Installer programs Start 1</Preceder 

Menu shortcuts</ql:Name> 

<q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Displays Start menu shortcuts to partially installed 
programs in gray text.\n\nThis setting makes it easier for 
users to distinguish between programs that are fully installed 
and those that are only partially installed. \n\nPartially 
installed programs include those that a system administrator 
assigns using Windows Installer and those that users have 
configured for full installation upon first use.\n\nlf you disable 
this setting or do not configure it, all Start menu shortcuts 
appear as black text.\n\nNote: Enabling this setting can make 
the Start menu slow to open.</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Start Menu and Taskbar</ql:Cateqory> 

/ql:Policy> 

ql: Policy > 

<GPO 

^7denSe" P://WWW ' mi ^^ 

xmlns="http://www. microsoft.com/GroupPolicv/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= httP ' 7/W ^ 
< Precedence 

xmlns="http://www.microsoft.c m/Gr upP licy/Settings/Base">l</Preceder 
<ql:Name>Remove links and access to Windows /rreceaer 

Update</ql:Name> 
<ql :State> Enabled</ql :State> 
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<ql:Explain>Prevents users from connecting to the Windows 
Update Web site.\n\nThis setting blocks user access t the 
Windows Update Web site at 

http://windowsupdate.micros ft.c m. Also, the setting 
removes the Windows Update hyperlink from the Start menu 
and fr m the Tools menu in Internet Explorer. \n\nWindows 
Update, the online extension of Windows, offers software 
updates t keep a user's system up-to-date. The Windows 
Update Product Catalog determines any system files, security 
fixes, and Microsoft updates that users need and shows the 

»ST S i Ve »?^? S avai,ab,e for download.\n\nAlso, see the 
Hide the Add programs from Microsoft" option" 

setting.</ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Start Menu and Taskbar</ql:Cateqory> 

</ql: Policy > 1 

<ql:Policy> 

- <GPO 

iTdentlfi^ 

xmlns= "http://www.microsoft.com/GroupPolicv/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

< Dorndin 

</GpS> S=, ' httP://W ^ 

< Precedence 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base">l</Preceder 
<ql:Name>Remove Network Connections from Start K/nreceoer 

Menu</ql:Name> 

<ql : State > Enabled </ql: State > 

<ql:Explain>Prevents users from running Network 
Connections. \n\nThis setting prevents the Network 
Connections folder from opening. This setting also removes 
Network Connections from Settings on the Start 
menu.\n\nNetwork Connections still appears in Control Panel 
and in Windows Explorer, but if users try to start it, a message 

a rf!2 rS .. e r, XP I'.™" 9 that a Settin9 P reve "ts the action.\n\nAlso, 
see the Disable programs on Settings menu" and "Disable 
Control Panel" settings and the settings in the Network 
Connections folder (Computer Configuration and User 

Configurat«on\AdministrativeTemplates\Network\Network 

Connections).</ql:Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>Start Menu and Taskbar</ql:Categorv> 
/ql:Policy> 

ql: Policy > 

<GPO 

2Tdentifie" P://WWWm,CrOSOftCOm/GrOUpP 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
<Do^a" E4 ° 9 ^^ 

</G^O> nS= ' httP://WWW,miCrOSOft ' COm/GrOUpPo,iC ^ 
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< Precedence 

^Tm S= " h " p://www - microsoftcom / Grou PPolicy/Settings/Base">l</Preceder 
<ql:Name>Remove Run menu from Start Menu</ql Name> *</Preceder 
<ql:State>Disabled</ql:State> 

<ql:Explain>Allowsy ut remove the Run command from the 
Start menu, Internet Expl rer, and Task Manager.\n\nlf you 
enable this setting, the following changes occur:\n\n(l) The 
Run command is removed from the Start menu.\n\n(2) The 
New Task (Run) command is removed from Task Manager.\n\n 
(3) The user will be blocked from entering the following into 
the Internet Explorer Address Bar:\n\n— A UNC path- 
\\<server>\<share> \n\n— Accessing local drives: e!g., 

S>h Xn V" ^ C ?f sinfl ,OCal folders: e "9 ' \temp>\n\nAlso, users 
with extended keyboards will no longer be able to display the 

2. U - n w'- a ? fl b °. X bV P ressi "9 the Application key (the key with 
the Windows logo) + R.\n\nlf you disable or do not configure 
this setting, users will be able to access the Run command in 
the Start menu and in Task Manager and use the Internet 
Explorer Address Bar.\n\n\n\nNote:This setting affects the 
specified interface only. It does not prevent users from using 
other methods to run programs.\n\nNote: It is a requirement 
for third-party applications with Windows 2000 or later 
certification to adhere to this setting.</ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Start Menu and Taskbar</ql:Category> 

</ql:Policy> 

<ql:Policy> 

- <GPO 

<Td , endfie" P://WWWmiCr ° SOft ' COm/GrOUpPoli ^ 

xmlns='http://www.microsoft.com/GroupPolicy/Types"> 
<Do B ma 5 in 3A61 " 8642 " 4913 " 8BO °" 7DCA994602DC}</Identifier> 

</ G £o> s= ' http://ww ^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Don/t display the Getting Started welcome screen at 1</Preceder 

logon</ql:Name> 

< q 1 : State > Enabled </q 1 : State > 

<ql:Expiain>Supresses the welcome screen. \n\nThis setting 
hides the welcome screen that is displayed on Windows 2000 
Professional and Windows XP Professional each time the user 
logs on.\n\nUsers can still display the welcome screen by 
selecting it on the Start menu or by typing "Welcome" in the 
Run d.alog box.\n\nThis setting applies only to Windows 2000 
Professional and Windows XP Professional. It does not affect 
the Configure Your Server on a Windows 2000 Server" screen 

2omnni OW r 2 ?°° Se . rver '\"\"Note: This setting appears in the 
Computer Configuration and User Configuration folders. If both 
settings are c nfigured, the setting in C mputer Configuration 
takes precedence ver the setting in User 
Configurati n.\n\nTip: To display the welcome screen, click 

t£!u S L5° ^T*' P ° int * Acc essorie S/ point to System 
Tools, and then click "Getting Started." To suppress the 
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welcome screen without specifying a setting, clear the "Show this 
screen at startup" check box on the welcome 
screen. </ql:Explain> 

<ql:Supported>Only works on Micr s ft Windows 
2000</ql:Supported> 

<ql:Category>System</ql:Category> 
</ql: Policy > 

- <ql:Policy> 
- <GPO 

iTdentme^ 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
^^61-864 

</Gror = ' http://wwwmicrosoftcom/Groupp ^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicv/Settinas/Base">i^/Pr 0 ^H 0 r 

<q :Name>Prevent access to registry editing toolJ^NameJ >1</Preceder 

<ql:State>Enabied</ql:State> 

<ql:Explain>Disables the Windows registry editor 
Regedit.exe.\n\nlf this setting is enabled and the user tries to 
start a registry editor, a message appears explaining that a 
setting prevents the action.\n\nTo prevent users from using 
other administrative tools, use the "Run only allowed Windows 
applications" setting.</qi;Explain> windows 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

< q 1 : Category > System </q 1 : Category > 
</ql:Policy> 

<ql:Policy> 

- <GPO 

iTdentmer tP://WWW ' miCr ° SOft 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
^o^f* 61 " 8642 " 4913 - 8 ^ 

</G^ S= " httP://WWW ' mlCrOSOftCOm/Gr0upPo ^ 

< Precedence 

<ql:State>Enabled</ql:State> 

<ql:Explain>Turns off the Autoplay feature. \n\nAutoplay begins 
reading from a drive as soon as you insert media in the drive. 

t J ■^? lt t - he Se ! UP fNe ° f proara ™ and the music on audio 
media start immed.ately.\n\nBy default, Autoplay is disabled 

V dH!!i dHVe H S ' SUCh 38 thC f, ° PPy disk drive < but not the 
CD-ROM drive), and on network drives.\n\nlf you enable this 

setting you can also disable Autoplay on CD-ROM drives or 

disable Autoplay on all drives. \n\nThis setting disables 

Autoplay on additional types of drives. You cannot use this 

n!?J n 2 v° f n f. b ' e Aut °P |a y on d "ves n which it is disabled by 
default.\n\nNote: This setting appears in both the Computer 
Configuration and User Configuration folders. If the settings 
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conflict, the setting in Computer Configuration takes precedence 

ZZ the . setti " 9 in User Confi 9uration.\n\nNote: This setting 

does not prevent Autoplay for music CDs.</ql:Explain> 
<ql :Supported> At least Micr soft Wind ws 2000 </ql: Supported > 
<ql :Category> System </ql :Category> 

- <ql:DropDownList> 

<ql:Name>Turn off Aut play on:</ql:Name> 
<q 1 : State > Enabled </q 1 : State> 
- <ql:Value> 

<ql:Name>AII drives </ql:Name> 
</ql:Value> 
</ql:DropDownl_ist> 
</ql:Policy> 

- <ql:Policy> 

- <GP0 

,™l" S r" http://ww ^^ 
^jf*"- 8642 '^ 

</GPO> S= " httP://WWW ' miCrOSOft - COm/GrOUpPo ^ 

< Precedence 

<ql.Name>Run logon scripts synchronously</qi:Name> i</Hreceder 
<ql:State>Enabled</ql:State> 

<ql:Explain>Directs the system to wait for the logon scripts to 
finish running before it starts the Windows Explorer interface 

nd /reates the desktop. \n\nlf you enable this 
hVvL L W ' nd , OWS = XD,orer does not start until the logon scripts 

ornLl^ ■ rUnn, , n9 ' ™ S Setti " 9 ensures that logon script 
?an h i ?iI S COmp,ete before *e user starts working, but it 
Sic ttV aPPearance of the desktop. \n\nlf you disable 
this setting or do not configure it, the logon scripts and 
Windows Explorer are not synchronized and can run 
s.multaneously.\n\nThis setting appears in the Computer 
ComZI r" ?- nd USer Confi ° u ' a «on Elders. The setting set in 
in iTcl T C ° nf, 9 uratj o n ta ><es precedence over the setting sei 
in User Configuration. </ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>System/Scripts</ql:Category> 
</ql: Policy > 1 

- <ql:Policy> 

- <GP0 

<7dent!^ 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
<D? m a 5 i f A61 " 8642 " 4913 - 8B °°- 7DCA994602 ^><~ 

</GTO> S= " h,tP://WWW - m ' CrOSO "- COm/GroU|,|,0,ic V/ T »P«">9Pmcdemo.c m<, 

< Precedence 
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<ql:State>Enabled</ql:State> 

<ql:Explain>Sets the maximum size of each user profile and 
determines the system's resp nse when a user profile reaches 
the maximum size.\n\nlf y u disable this setting or do not 
configure i t/ the system does n t limit the size of user 
profiles. \n\nlf you enable this setting, you can do the 
following:\n\n~ Set a maximum permitted user profile 

S?r^TV Dete r m J ne wnether the re 9istry files are included in 
the calculation of the profile size;\n\n- Determine whether 
users are notified when the profile exceeds the permitted 
maximum s.ze;\n\n- Specify a customized message notifying 

cull** tH H ° VerSiZed P rofi,e An\n~ Determine how often the 
customized message is displayed. \n\nNote: This setting 
affects both local and roaming profiles. </ql : Explain> 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category>System/User Profiles</ql:Category> 

- <ql:EditText> 

<ql:Name>Custom Message</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Value>You have exceeded your profile storage space. 
Before you can log off, you need to move some items from 
</ q rEditText> t0 " etWOrk ° r local stor a9e.</ql:Value> 

- <ql:Numeric> 

<ql:Name>Max Profile size (KB)</ql:Name> 
<ql:State>Enabled</ql:State> 
<ql:Value>30000</ql:Value> 
</ql:Numeric> 

- <ql:CheckBox> 

<ql:Name>Include registry in file list</ql:Name> 
<ql:State>Disabled</ql:State> 
</ql:CheckBox> 

- <ql:CheckBox> 

<ql:Name>Notify user when profile storage space is 

exceeded. </ql:Name> 
<q 1 : State > Enabled </q 1 : State > 
</ql:CheckBox> 

- <ql:Numeric> 

<ql:Name>Remind user every X minutes:</ql:Name> 
<ql:State>Enabled</ql:State> 
<ql:Value>15</ql:Value> 
</ql:Numeric> 
</ql: Policy > 
- <ql:Policy> 

- <GPO 

JTdeS^ 

roi n Jr" http://www - microsoft - c °m/GroupPolicv/TvD 

<Do ma ^ 

</GPO> S= " httP://WWW - miCr S ft,C m / 6rou P p °"cy/Types»>gpmcdemo.com</ 

< Precedence 
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^nf "m P / /- W ^ ,m,CrOSOft ' COm/Grou P p lic y/Settings/Base"> 1 </Precedenc e > 
<ql:Name>Disable changing Advanced page settings</ql:Name> 
<ql:State>Enabled</ql:State> 4 
<ql: Explain > Prevents users fr m changing settings on the 

an^!. nC ?.? t3b I" the Internet Options dialog box.\n\nIf you 
enable this policy, users are prevented from changing 
advanced Internet settings, such as security, multimedia, and 
printing. Users cannot select or clear the check boxes on the 
Advanced tab.\n\nlf you disable this policy or do not configure 
it, users can select or clear settings on the Advanced 
tab.\n\nlf you set the "Disable the Advanced page" policy 
(located in \UserConfiguration\Administrative 

Sn^lfr XW fi nd ° W !. Comp0nentsNInternet ExplorerUnternet 
"SriwAh?^ y0U d °, n0t need to set this P° ,ic V' be ««se the 
from *k ♦ Advance d P^e" policy removes the Advanced tab 
from the interface. </ql: Explain > 

<ql.Supported>at least Internet Explorer v5.0K/ql:Supported> 

<ql:Category> Windows Components/Internet 
Explorer</ql :Category> 
</ql: Policy > 



<ql:Policy> 
- <GPO 



<Tdendfier tP://WWW ' miCr ° SOft,COm/G 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes , > 
<Do™" A61 " 8M2 " 4913 - 8B00 - 7D " 994602D «<~^ 

</GTO> S= ' http://Wwwmicrosoft - com / Grou P ,, <>"<:y/Types->gp m eden,o.eom</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicv/Settinas/Bas*»"^i^/Dr 0 ^H 0 
<ql:Name>Disable changing certificate set«nS</% Name> ^/Preceder 

<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from changing certificate settings in 
Internet Explorer. Certificates are used to verify the identity of 
in 2TS P U f b,, : hers -\ n \ nIf VO" enable this policy, the settings 

OnHon h- ? Cat . S area ° n the Content tab in the ^^net 
Options dialog box appear dimmed.\n\nlf you disable this 

policy or do not configure it, users can import new certificates, 

remove approved publishers, and change settings for 

Srr„ C nr te V hat havea,readv bee " accepted.\n\nThe "Disable 
the Content page" policy (located in \User 

Configuration \Administrative Templates\Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Content tab from Internet Explorer in ControT 
Panel, takes precedence over this policy. If it is enabled, this 
policy is ignored \n\nCaution: If you enable this policy/users 
can still run the Certificate Manager Import Wizard by double- 
ellahipc * softwa »; e Publishing certificate (.spc) file. This wizard 
enables users to import and configure settings for certificates 
from software publishers that haven't already been configured 
f r Internet Explorer. </ql:Explain> conngurea 
<ql:Supported>at least Internet Expl rer v5.0K/ql:Supported> 

<ql:Category>Wind wsC mp nents/Internet 

Explorer </q l : Category > 
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</ql:Policy> 
<ql:Policy> 
- <GPO 

iTdeniie" P://WWW,miCrOS ftcom/Grou P Po,ic V/ Settj n9s/Base"> 
xmlns="http://www.micr soft.c m/GroupPolicy/TyDes"> 

<B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domam 

</G^O> nS=httP://WWW,m, ' CrOSOft,COm/GrOUpP ^ 

< Precedence 

<.„Tm S= ' ,h "? :/ / www,microsoft - com / Grou PPolicy/Settings/Base">l</Preced e r 
<ql:Name>Disable changing default browser check</ql:Name> 1</Preceder 

<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents Microsoft Internet Explorer from checking 
to see whether it is the default browser.\n\nIf you enable this 
policy the Internet Explorer Should Check to See Whether It Is 
the Default Browser check box on the Programs tab in the 
Internet Options dialog box appears dimmed.\n\nlf you 
disable this policy or do not configure it, users can determine 
whether Internet Explorer will check to see if it is the default 
browser. When Internet Explorer performs this check, it 
prompts the user to specify which browser to use as the 
default.\n\nThis policy is intended for organizations that do 
not want users to determine which browser should be their 

??ir C „? n The ," Di f^' e . th . e Pr °9™™ P^e" policy (located in 
\User Configurat.on\Administrative Templates\Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Programs tab from Internet Explorer in Control 
Panel, takes precedence over this policy. If it is enabled, this 
policy is ignored.</qi:Explain> 
<ql:Supported>at least Internet Explorer v5.0K/ql:Supported> 

<ql:Category> Windows Components/Internet 
Explorer</ql .-Category > 

/ql:Policy> 

ql: Policy > 

<GPO 

i7denWie" P://WWW "^ 

r™r" http://www - microsoft - com / Gr <>upPolicy/Types"> 
<Domain 1_8642 "^ 

</GTOr = " httP://WWWmiCrOSOft - COm/Gr0upPo ^ 

< Precedence 

xmlns='http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:Name>Disable changing ratings settings</ql:Name> i</"-eceder 

<q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Prevents users from changing ratings that help 
control the type of Internet content that can be viewed.\n\nlf 
you enable this p licy, the settings in the C ntent Advisor area 
on the Content tab in the Internet Opti ns dialog box appear 
d.mmed.\n\nlf you disable this p licy r do not configure it, 
users can change their ratings settings.\n\nThe "Disable the 
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Ratings page" policy (I cated in \User 

Configurati n\Administrative Templates\ Windows 
Components\Internet Explorer\Internet Control Panel), which 
removes the Ratings tab from Internet Explorer in Control 
Panel, takes precedence over this p licy. If it is enabled, this 
P licy is ignored. </ql :Explain> ' 
<ql:Supported>at least Internet Expl rer v5.0K/ql:Supported> 
<ql:Category> Windows Components/Internet PP°™a> 
Explorer</ql :Category> 

</ql : Policy > 

<ql:Policy> 

- <GPO 

iTdentlfie" P://WWW ' miCrOSOft ' COm 

?!?i n c S "" nttp://www ^^ 
<Domaif 61 ' 8642 " 4913 - 8B °°- 7DCA994602DC ></^ 

</G^or = " httP://WWW - mlCrOS ° ft ' COm/GrOU P Po,i ^ 

< Precedence 

settings</qi:Name> 
<ql :State>Enabled</qi :State> 

<ql:Explain>Prevents users from changing the browser cache 
£ *'£ 9 t' SU 35 thC ,ocation and a mo«nt of disk space to use 
no»i!-M em K POrary IntGrnet FMes f °'der.\n\nlf you enable this 

ESS.?* .° WS ! r C3Che S6ttingS appear dimmed - These 
settings are found in the dialog box that appears when users 

dick the Genera, tab and then click the SetUngs button in the 

Internet Options dialog box.\n\nIf you disable this policy or do 

not configure ,t, users can change their cache settings. \n\nlf 

you set the "Disable the General page" policy (located in \Sser 

Conf,gurat.on\Administrative Templates\Windows 

Components\Internet Explorer\Internet Control Panel), you do 

oaar"n d r 0 P ° ,ICV ' b6CaUSe *« " Disable «»• *™£S 

page policy removes the General tab from the 

interface. </ql:Explain> 
<ql : Su PP orted>at least Internet Explorer v5.0K/ql:Supported> 
<ql:Category>Windows Components/Internet 

Explorer</ql .'Category > 
/ql:Policy> 
ql: Policy > 
<GPO 

< Domain A61 " 8642 - 4913 " 8B00 - 7DC A^4602DC}<y e P ntifier> 

</GTOr = " httP://WWW ' mlCr ° SOft - COm/Gro ^ 

< Precedence 
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Explorer</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents branding of Internet programs, such as 

and HHl Z h t,0n ? '"^T^ EXP ' W a " d ° Ut, °° k E *P^ I gos 
and title bars, by another party.\n\nlf you enable this policy it 

prevents customize* n fthebr wser by another party?such 

as an Internet service provider or Internet content 

provider. \n\nlf y u disable this policy or do not configure it 

users could install customizations from another party -for 

taTntani- 5!" S i 9nin9 " P f ° r Intemet serv ^es.\n\nThis policy 
is intended for administrators who want to maintain a 

consistent browser across an organization.</ql:Explain> 
<ql:Supported>at least Internet Explorer v5.01</ql:Supported> 
<ql:Category> Windows Components/Internet PP ortea > 

Explorer</ql :Category> 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

r™« http://wwwmicrosoft - com /GroupPolicy/Tvpes"> 
^jf* 61 " 8642 " 49 ^^ 

</GPO> S= " httP:// ^ 

< Precedence 

<ql:State>Enabled</ql:State> 

<q wi«rH ai x n> v Pr T e r ntS US6rS fr ° m runnlng the Internet Connection 
Conned J I™ P °' icy ' the Setu P b ""°" on the 

Connections tab in the Internet Options dialog box appears 
dimmed \n\nUsers will also be prevented from runnfng ?he 
wizard by clicking the Connect to the Internet icon on the 

° r bV C ' C - in9 Start ' pointin 9 to Programs, pointing to 
i^Z'c*' P °T n ° t0 Commu "^ations, and thenclicking 
not lonr Conne , ct,on Wizard.\n\nlf you disable this policy or do 

TnZaZl USe : S / an Change their section settings by 
running the Internet Connection Wizard.\n\nNote: This policy 
overlaps with the "Disable the Connections page" policy 
(located in \User Configuration \Administrative * 
Templates\Windows Components\Internet ExplorerXInternet 
SllE^T 0 ' which '*™™s the Connections tar f™ the 
how-f 1 f emov,n 9 the Connections tab from the interface, 
however, does not prevent users from running the Internet 
Connection Wizard from the desktop or the Start " ternet 
menu.</ql:Explain> 
<ql:Supported>at least Internet Explorer v5.0K/qi:Supported> 
<ql:Category> Windows Components/Internet PP°™a> 
Explorer</ql:Category> 
</ql:Policy> 

- <ql:Policy> 

- <GPO 

xmlns="http://www.microsoft.c m/Gr upP licy/Settings/Base"> 
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< Identifier 

xmlns="http://www.micros ft.com/GroupPolicv/TvDes"> 
<Do B ma" A61 " 8M ^ 

<Precedence 

<ql:State>Enabled</ql:State> ' 
<ql:Explain>Prevents users from restoring default settings for 
home and search pages. \n\nlf you enable this policy, the 

OrtLs dfa? o ett T S bUtt ° n ° n thG Pr ° 9rams tab in th « Fernet 
oolicv or d« ™* * t PPearS dimmed -\n\nlf you disable this 
policy or do not configure it, users can restore the default 
settings for home and search pages.\n\nThe "Disable the 
Programs page" policy (located in \User 
Configuration \Administrative Templates\ Windows 
r^ P ^ n K tS \ Intemet Ex P |orer \mternet Control Panel), which 

Panel tL- n t3b fr ° m Internet Exp,orer j " Control 

Panel, takes precedence over this policy. If it is enabled, this 

policy is ignored.</ql:Explain> 
<ql:Supported>at least Internet Explorer v5.DK/qi:Supported> 
<ql.Category>Windows Components/Internet 
Explorer</ql .-Category > 
</ql:Policy> 



- <ql:Policy> 
- <GPO 



xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
<Dorna S if AS1 " 8642 " 4913 - 8B0 °- 7DCA994602DC > < ~ 

</ G ro> S= ' ,ht,p://www - mlcrosof ^^ 

< Precedence 

passwords</ql:Name> 

< q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Disables automatic completion of user names and 
passwords in forms on Web pages, and prevents users from 

do STTif 1° SaVe P asswords -\n\nIf you enable this 
policy, the User Names and Passwords on Forms and Prompt 

th Jo f TJu ? SSW ° rdS ChCCk b ° Xes appear dimmed - To display 

rt<l\Z r b .°* eS ' US6rS ° pen the Internet °P«ons dialog boi, 
click the Content tab, and then click the AutoComplete 

button.\n\nIf you disable this policy or don't configure it 
com^lT* determine whether Internet Explorer automatically 
completes user names and passwords on forms and prompts 
them to save passw rds.\n\nThe "Disable the Content page" 
P hey (located in \User C nfiguration\Administrative 

C ntr I Panel), which rem ves the C ntent tab from Internet 
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Expl rer in C ntrol Panel, takes precedence over this policy If it is 
enabled, this policy is ignored.</ql:Explain> 
<ql:Supported>at least Internet Explorer v5.0K/ql:Supported> 
<ql:Category> Windows Components/Internet PP° nea > 
Explorer</ql :Category> 
</ql: Policy > 

- <ql:Policy> 
- <GPO 

xmlns='http://www.microsoft.com/GroupPolicv/TvDes"> 
<Do ma if A61 - 8642 - 4913 - 8BO °- 7DC * 994602D =>^ 

</Gro> S "'' ht * ://WWW - miCrOSO,, - COm/Grou ' ,,,oli ' : V/Types->gp m cden,o.con,</ 

< Precedence 

Identities</ql;Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from configuring unique identities by 
cr^J^M?^ Mana 9^ \n\nldentity Manager enables users to 

comPut^'p^ru? 0 ^' 5 ' SUCh 38 e - mai ' aCCOunts ' on the sa ™ 
Das^word'/nH h « ? S " identity ' with a Cerent 

STta JS2 d 'fferent program preferences.\n\nlf you enable 
this policy, users will not be able to create new identities 
manage existing identities, or switch identities. The Switch 
Identity option will be removed from the File menu in Address 
Book.\n\nIf you disable this policy or do not configure it, users 
can set up and change identities.</ql:Explain> 
<ql:Supported>at least Internet Explorer v5.0K/ q i : Supported 
<ql:Category>Windows Components/Internet u PP orted> 
Explorer</ql :Category> 
</ql:Policy> 
• <ql:Policy> 

- <GPO 

<Domain A61 " 8642 - 4913 - 8B0 °- 7DCA 9^602DC}</ldentifier> 

</GPO> S= " httP://WWW,mlCrOSOft - COm/Grou P^ 

< Precedence 

<ql:State>Enabled</ql:State> 

<ql:Explain>Makes the Customize button in the Search Assistant 
appear dimmed.\n\nThe Search Assistant is a tool that 
appears in the Search bar to help users search the 

££r r S tAn K ?' - V ° U 6nable thiS P ° liCy ' USers cannot c "ange 
their search Assistant settings, such as setting default search 

nofconVn f SP > CifiC tasks \"\" If you disable this policy or do 
not configure ,t, users can change their settings fir the Search 
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Assistant.\n\nThis policy is designed to help administrat rs 
maintain c nsistent settings for searching across an 
rganization.</ql:Explain> 
<ql:Supported>at least Internet Expl rer v5.0K/ql: Supported 
<ql:Category>WindowsC mp nents/Internet 
Explorer</ql :Category> 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

™dentm^ 

rTil S r " htt P : // www -microsoft.com/GroupPolicy/TvDes"> 

^GP^"*"*"^^ 

<Precedence 

connections</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Specifies that Automatic Detection will be used to 

usesa^CP rn P f ° r users \"\nAutomatic Detection 

uses a DHCP (Dynamic Host Configuration Protocol) or DNS 
server to customize the browser the first time it is 

wm f ™»r" y °^ en f ble * hiS P ° ,iCy ' users ' dia, " u P se "ings 
will be configured by Automatic Detection. \n\nlf you disable 

confinoSK d A° T conf '"9 ure *< dia, -"P settings will not be 

S^&SZT""" DeteCti ° n ' Un,CSS SPedfied by the 

<ql:Supported>at least Internet Explorer v5.0K/ql:Supported> 

<ql:Category> Windows Components/Internet 
Explorer</ql :Category> 
</ql:Policy> 

- <ql:Policy> 

- <GPO 

™dentlf^ 

xrnlns="http://www.microsoft.com/GroupPolicy/TvDes ,, > 

</GPO> 5 = " h * P://WWW - miCrOSOft ^ 

<Precedence 

option</ql:Name> 
<q 1 : State > Enabled </q 1 : State > 

<ql:Explain>Prevents users from displaying tips for users who 

N^'" 9 n r ° m Netsca P e \n\n" vou enable this policy, the 
F r Netscape Users command is removed from the Help 
menu.\n\nlf you disable this policy r do not configure it 

cncif„nTh d,S c P,a i C " tent 3bOUt SWltchi "9 from Netscape by 
clicking the F r Netscape Users c mmand on the Help 
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menu.\n\nCaution: Enabling this policy does not remove the tips 

Sl^SSKT' fr m the Microsoft Internet Exp, ° & 

<ql:Supported>at least Internet Explorer v5.0K/ql:Supported> 
<ql :Category> Windows C mp nents/Internet Explorer/ Browser 

menus</ql:Category> 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

™deS^ 

<Domain A61 - 8642 - 4913 " 8B00 - 7DCA 9M602DC></Identifier> 

</GTO> S= " httP!//WWWmiCrOSOftCOm/GrOUpP ^ 

< Precedence 

option</ql:Name> 
<ql : State > Enabled </q 1 : State > 

<ql:Explain>Prevents users from sending feedback to Microsoft 
by clicking the Send Feedback command on the Help 
menu.\n\nlf you enable this policy, the Send Feedback 

th/Tno." ' S r ^ moved from the Help menu.\n\nlf you disable 
this policy or do not configure it, users can fill out an Internet 
form to provide feedback about Microsoft miernet 
products. </ql : Expla in > 
<ql:Supported>at least Internet Explorer v5.0K/ql:Supported> 
<ql:Category> Windows Components/Internet Explorer/ Browser 
menus</ql Category > H ' orowser 

</ql:Policy> 
- <ql:Policy> 

- <GPO 

™dentl^ 

<Domain A61 - 8642 - 4913 - 8B0 °- 7D CA994602DC}</Identifier> 

</GPOr S= " httP://WWW - miCrOSOft - COm/Gro ^ 

< Precedence 

option</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from viewing or changing the Tip of 
e „ a bi! V ,K 6rf ? Ce m u Mic, ' osoft I^rnet Explorer.\n\nIf you 
Z S P0 '\ C V he Ti P of th * ^y command is removed from 

the Help menu.\n\nlf you disable this policy or do not 
configure ,t, users can enable or disable the Tip of the Day 
which appears at the bott m of the browser. </ql: Explain/ 
<ql:Supported>at least Internet Expl rer v5.01</qi:Supported> 
<ql :Category> Windows C mp nents/Internet Explorer/ Browser 
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menus</ql .-Category > 
</ql: Policy > 

- <ql:Policy> 
- <GPO 

<Tdentlfier ttP://WWW " miCr soft - com / Grou P p <»icy/Settings/Base"> 

xmlns="http://www.microsoft.c m/Gr upPolicv/TvDes"> 
<Domaif A "' 8M2 - 49 "- 8B00 - 7DM9946O2D ^<~^ 

</Gro> S= '' h " P://WWW - miCrOSO ' ,com/GroupPolic »/ T VP«->9Pmc<le m o.c.m</ 

<Precedence 

mode</ql:Name> 
<ql : State > Enabled</q 1 : State > 

<ql:Explain>Prevents users from entering author mode.\n\nThis 
Con^MM 6 A tS " Ser ! fr ° m ° penin9 tne Microsoft Management 

m au?nor ( mo2 'anT*" m ° de ' eXP,idt,y ° penin 9 conso ' e 
in author mode, and opening any console files that open in 

cT^lTi** bV d J* ault -\"\"As * result, users canno? create 
console files or add or remove snap-ins. Also, because they 
cannot open author-mode console files, they cannot use the 
1 S fi,es contain.\n\nThis setting^ermiS users to 

open MMC user-mode console files, such as those on the 
Administrative Tools menu in Windows 2000 Server family or 

bTant°MMr erVer f° 03 fami,y ' H0W6ver ' users ca ""<>t 5 
blank MMC console window on the Start menu. (To open the 

MMC, click Start, click Run, and type mmc.) Users also cannot 
open a blank MMC console window from a command 
prompt.\n\nIf you disable this setting or do not configure it 
nfeT^q^^ m ° de and ° pe " author-mode conso.e' 

<ql: Supported At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Windows Components/Microsoft Management 
Console</ql :Category> 
</ql:Policy> 
- <ql : Policy > 

- <GP0 

^dentlfier tP://WWW ^ 

^oi n ^ http://www,microsoft - com /GroupPolicy/TyD 
<Do mai f 8642 ' 4913 - 8B0 °- 7DCA994602D ^^^^ 

</G^0> S= " httP://WWWmiCr ° SOft ' COm/GrOUpP 

< Precedence 

ins</qi:Name> K 
<ql:State>Enabled</ql:State> 

<ql:Explain>Lets you selectively permit or pr hibit the use of 
Micr soft Management Console (MMC) snap-ins.\n\n- If vou 
enable this setting, all snap-ins are prohibited, except those 
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that you explicitly permit. Use this setting if y u plan to prohibit 

SI? uiT S l s " a P- insAnNn T ° ex P ,idt, y Permit a snap-in, open 
the Restricted/Permitted snap-ins setting folder and enable the 
settings representing the snap-in you want to permit If a 
snap-.n setting in the folder is disabled or not configured the 
snap-in is prohibited.\n\n- If you disable this setting Tr do 
n t c nfigure it, all snap-ins are permitted, except those that 
you explicitly prohibit. Use this setting if you plan to pe*m* use 
of most snap-ins.\n\n To explicitly prohibit a snap-in^n the 

S^ PermittCd Snap_inS Settlng f0,der and th *n disable 
the settings representing the snap-ins you want to prohibit. If 
a snap-.n setting in the folder is enabled or not configured/the 
snap-in ,s perm,tted.\n\nWhen a snap-in is prohibited, it does 
not appear ,n the Add/Remove Snap-in window in MMC. Mso, 
when a user opens a console file that includes a prohibited 
snap-in, the console file opens, but the prohibited snap-in does 

2nl h. PPearAnXnN ° te: If VOU enab,e this setti "9- ancl you do not 
enable any settmgs in the Restricted/ Permitted snap-ins 
folder, users cannot use any MMC snap-ins.</ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category> Windows Components/ Microsoft Management 
Console</ql: Category > 
</ql: Policy > 



<ql:Policy> 
- <GPO 



™dentlfie^ 

xmlns= , http://www.microsoft.com/GroupPolicv/TvDes"> 

</GTO> S=, ' httP://WWW,miCrOSOft ' COm/GroupPolie »/ T »P« , >9P">cden,o.com</ 

< Precedence 

<£^^ 

Task Wizard</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>This setting removes the "Open advanced properties 

o'tne^H^"^ 1 ??• FinlSh " Ch6Ckbox from the last page 
ri J^fif t ^ TaSk Wizard - This P 0,ic V is on>y designed to 
simplify task creation for beginning users.\n\nThe checkbox 
when checked, instructs Task Scheduler t^SSSSS^Sn 

£d S^SlST?? ta , S " S Pr ° Perty Sneet U P°" completion o? the 
Add Scheduled Task" wizard. The task's property sheet allows 
users to change task characteristics suchas^the prograj „T 
task runs, details of its schedule, idle time and power 
management settings, and its security context. Beginning users 
TZ T T ^ interested ^ confused by having Te^perty 
s ee d ' s P'ayed automatically. Note that the checkbox is not 

Con? ^ ff U J* 6Ven if thls Settl "9 is Disab '«d or Not 

c«nf n UredAnXn ^° te: This settin 9 a PP ears in «■« Computer 
Configuration and User C nfiguration folders. If b th settings 
are configured, the setting in Computer C nfigurati n takes 
precedence over the setting in User C nfiguration. </ql E XD L> 
<ql:Supported>At least Micr soft Wind ws foOO</q :Su P portid> 
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<ql:Category>Wind ws Comp nents/Task 
Scheduler </ql:Category> 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

^dentmer P://WWW ' miCrOSOft ' COm/GrOUpP ,ic y/ s ettings/Base»> 

Jji™i? p://www ^^ 
<Domain A61 " 8642 - 4913 - 8B00 - 7DCA9 ^602DC></Identifier> 

</Gror = " httP://WWW ' miCrOSOft - COm/GrOUpP ^ 

< Precedence 

<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from viewing and changing the 
properties of an existing task.\n\nThis setting removes the 
Properties item from the File menu in Scheduled Tasks and 

task A«*r2l?» men " that appears when vou "ght-click a 
ThoJ ? , ' U i 6rS Cannot cna "9 e an V Properties of a task. 
JntLT u V 866 ^ properties appear in Detail view and 
in the task preview.\n\nThis setting prevents users from 
viewing and changing characteristics such as the program the 
task runs, its schedule details, idle time and power 

s n e tt n inf^ t a Se " in i S V and itS SCCUrity c °ntext.\n\nNote: This 
setting appears in the Computer Configuration and User 

Configuration folders. If both settings are configured, the 
setting in Computer Configuration takes precedence over the 
setting in User Configuration.\n\nTip: This setting affects 
existing tasks only. To prevent users from changing the 
properties of newly created tasks, use the "Remove Advanced 
Menu" setting.</ql;Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category> Windows Components/Task PPortea> 
Scheduler</ql : Category > 
</ql : Policy > 

- <ql:Policy> 

- <GPO 

<?dentme^ 

rTl^r " httD://www - micr osoft.com/GroupPolicy/Types"> 
<DomaT A61 " 8 ^ 

</GTO> S= " httP://WWWmiCr ° SOft - COm/GrOUpP ^^ 

< Precedence 

<ql:State>Enabled</ql:State> 

<q ^lf\ P T^ tS ° SerS fr ° m Startin9 and st PP'"fl ^sks 
manually.\n\nTh.s setting rem ves the Run and End Task 

LTsk iJT. ~V C |* nteXt m6nU tHat aPPCarS When you ri 9ht-click 
a task. As a result, users cann t start tasks manually or f rce 
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tasks t end before they are finished.\n\nNote: This setting 

f« P .S earS r i * n u h fu C ° m P Uter Confi 9 u «-ati<>n User Configuration 
folders. If both settings are c nfigured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration. </ql:Explain> 
<ql: Supported At least Micros ft Windows 2000</ql:Supported> 
<ql:Category> Windows Components/Task 
Scheduler</ql :Category> 
</ql: Policy > 



- <ql:Policy> 
- <GPO 



iwentmer tP://WWW,mlCrOSOft ' COm/G ^ 

xmlns= , http://www.microsoft.com/GroupPolicv/TvDes"> 
<"ma" A "" 8S42 " 4913 - 8B00 - 7DCA994S02DC ><~ 

</ G ro> $= " h " p://wwwmicros ^ 

<Precedence 

<ql:State>Enabled</ql:State> 

<ql:Explain>Limits newly scheduled to items on the user's Start 
menu, and prevents the user from changing the scheduled 
program for existing tasks. \n\nThis setting removes the 

rlirX !T fr ° m the Schedule Task Wizard and from the 
Task tab of the properties dialog box for a task. Also, users 
cannot edit the "Run" box or the "Start in" box that determine 
the program and path for a task.\n\nAs a result, when users 

S ' ?S mU !* Se,eCt 3 P r °9 ram fl ™ the list in the 
Scheduled Task Wizard, which displays only the tasks that 
appear on the Start menu and its submenus. Once a task is 
created, users cannot change the program a task 
runs.\n\nImportant: This setting does not prevent users from 
creating a new task by pasting or dragging any program into 

»p 6 h C ^' ed TaSkS f °' der - To prevent this a <*ion, use the 
Prohibit Drag-and-Drop" setting.\n\nNote: This setting 

^^"tTu u C ° mpUter Con «9«ration and User Configuration 

SS« " I ♦ I 6 " 1 " 98 are conff 9 ured ' the setting in Computer 

Configuration takes precedence over the setting in User 

Configuration. </ql:Explain> 
<ql. -Supported At least Microsoft Windows 2000</ql: Supported 
<ql:Category> Windows Components/Task 

Scheduler</ql :Category> 
</ql: Policy > 

<ql: Policy > 

- <GPO 

Sentme^ 

xmlns = "http://www.microsoft.com/GroupPolicv/TvDes"> 
<D0m"" A61 " 8642 - 49 "- 8B00 - 7D " 994602DC ><~ 

</Gro> S= " httP://WWW miCr soft - com/Grou P (, »'":y/Type S -> 9 p m cdemo.co m < / 
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< Precedence 

<,"^ 

<q 1 : State > Enabled</q 1 : State > 

<ql:Explain>Prevents users from adding or removing tasks by 
moving or copying programs in the Scheduled Tasks 
folder. \n\nThis setting disables the Cut, Copy, Paste, and 

sho r' cu V tems on tne c "text menu and the Edit menu in 
1 c u 6 ? T asks " lt a,so disables the drag-and-drop features of 
the Scheduled Tasks folder. \n\nAs a result, users cannot add 
new scheduled tasks by dragging, moving, or copying a 

tZSlZT ° r Pr f 9ram int ° the Schedu 'ed tasks folder.\n\nThis 
setting does not prevent users from using other methods to 
create new tasks, and it does not prevent users from deleting 
tasks.\n\nNote: This setting appears in the Computer 9 

fr 0 ^r , nn U ^ ti0n H a, ;? User Confi 9 ur «''°n Elders. If both settings 
are configured, the setting in Computer Configuration takes 
precedence over the setting in User Configuration. </ql: Explain > 

<ql:Supported>At least Microsoft Windows 2000 </ql: Supported 

<ql:Category> Windows Components/Task 
Scheduler</ql :Category> 
</ql: Policy > 

- <ql:Policy> 
- <GPO 

™dentlf^ 

xmlns= "http://www.microsoft.com/GroupPolicv/TvDes"> 
<DCa 5 " A61 " 8642 " 4913 - 8B °°- 7DCA994602D ^ 

</GTO> $= ' h " P://WWW " miCrOSOft - COm/GrOUpPolicv,/T »P es '' > 9P"«^^<>-»n.</ 

Precedence 

<ql:State>Enabled</ql:State> 

<ql:Explain>Prevents users from creating new tasks. \n\nThis 

^w n T 9 /^ 0VeS i h f, Add Schedu,ed Task item that starts the 
New Task W.zard. Also, the system does not respond when 

thrihoV 0 ! Tx 6, . Pa f tG/ ° r drag P r °9rams or documents into 
the Scheduled Tasks folder. \n\nNote: This setting appears in 
the Computer Configuration and User Configuration folders. If 
both settings are configured, the setting in Computer 
Configuration takes precedence over the setting in User 
Configuration.\n\nImportant: This setting does not prevent 
administrators of a computer from using At.exe to create new 
tasks or prevent administrators from submitting tasks from 
remote computers.</qi:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Windows Components/Task " P ported> 
Scheduler</ql: Category > 
</ql:Policy> 

<ql:Policy> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 
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identifier 

xmlns="http://www.micr soft.c m/GroupPolicv/TvDes"> 
<Do B maif A61 " 8642 " 4 ^^ 

</G^O> S= " httP://WWWmlCr S ftC m/Grou P Po| i<=y/Types»>gp mc demo.com</ 

< Precedence 

<ql:State>Enabled</ql:State> 

<ql: Explain > Prevents users from deleting tasks from the 
Scheduled Tasks folder.\n\nThis setting removes the Delete 
command from the Edit menu in the Scheduled Tasks folder 
2 fr f r l "e menu that appears when you right-click a task. 
Also, the system does not respond when users try to cut or 

tttn* * a nL'° m "l! Sc J ,edu,ed Tasks folder.\n\nNote: This 
setting appears in the Computer Configuration and User 
Configuration folders. If both settings are configured, the 

sett!™ !n u! mP r te , r Confi ? uration ""<es Precedence over the 
setting in User Configuration. \n\nImportant: This setting does 
not prevent administrators of a computer from using At exe to 
delete tasks.</ql:Explain> 9 *° 

<ql:Supported>At least Microsoft Windows 2000</ql: Supported 
<ql:Category> Windows Components/Task =>upportea> 
Scheduler</ql : Category > 
</ql: Policy > 



- <ql:Policy> 
- <GPO 



™dentm^ 

xmlns= ,, http://www.microsoft.com/GroupPolicv/TvDes"> 
<DoT i f A6l " 8642 - 4913 - 8B0 °- 7DCA994602D «^ 

</Gror S=,ht,P!//WWWmkrOSOftCOm/Grou P Pol ' c V/Types-> 9 pn,cdemo.co m </ 

< Precedence 

xmlns= ' h ttp://www.microsoftxom/GrouD^ 
<ql:Name>Allow only per user or approve^ >1</Preceder 

extensions</ql:Name> 
<ql:State>Enabled</ql:State> 

<ql:Explain>This setting is designed to ensure that shell 
extensions can operate on a per-user basis. If you enable this 

tha tt t , hav^ W h iS dir6Cted t0 ° n,y rU " th ° Se * he " extensTons 
not imnJ 5? ee " approved b V a " administrator or that will 
onfv7u P n/ f°tho er USerS ° f the machine '\n\nA shell extension 
only runs if there is an entry in at least one of the following 
locations ,n registry. \n\nFor shell extensions that have been 
approved by the administrator and are available to all users of 
the computer, there must be an entry at 

=^ 

user basis, there must be an entry at 
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<ql:Supported>At least Micros ft Windows 2000</ql: Supported 
<ql:Category>Wind ws C mp nents/Windows 
Explorer</ql :Category > 
</ql:Policy> 

- <ql:Policy> 
- <GPO 

JTdentmer ttP://WWW ' miCr ° SOft,C m / Grou P p °'*y/Settings/Base"> 

xmlns= ,, http://www.microsoft.com/GroupPolicv/TvDes"> 
<Dorna 5 if AS1 " 8642 " 4913 " 8B0 °- 7DCA994602D ^ < ~^ 

</Gro> S=httP://WWWmiCrOSO ' tCOm/GroupPolic » /T yP es " > 9Pn'<:<'«m 

< Precedence 

xmlns="http://www.microsoft.com/Gro^ 
<ql:Name>Do not request a.ternate credential >1</Preceder 

<q 1 : State > Enabled</q 1 : State > 

<ql:Explain>Prevents users from submitting alternate logon 

£?4nS!?i? inSta " « P r °9 ram -\n\nThis setting suppresses 
the Install Program As Other User" dialog box for local and 
network installations. This dialog box, which prompts the 
current user for the user name and password of an 

trvTin^*"' appears , when u *ers who are not administrators 
try to install programs locally on their computers. This setting 
allows adm.nistrators who have logged on as regular users Jo 

Z r ad P Z^ mS . With °^ ,0 ? 9Sn9 ° ff and lo ^"9 °n aga?n using 
?^.Lh L at ° r credent ^'s-\n\nMany programs can be 
installed only by an administrator. If you enable this setting 
and a user does not have sufficient permissions to install a 
program, the installation continues with the current user's 
£gon credentials. As a result, the installation might fail, or it 
might complete but not include all features. Or, it might appear 
to complete successfully, but the installed program might not 
operate correctly. \n\nlf you disable this setting or So not 
configure ,t, the "Install Program As Other User" dialog box 
appears whenever users install programs locally on the 
computer.\n\nBy default, users are not prompted for alternate 
logon credentials when installing programs from a network 
share. If enabled, this setting overrides the "Request 
^nT^ ^'V 0 ! n , etwork installations" setting.</qi :Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 
<ql:Category>Windows Components/Windows PP°™°> 
Explorer</ql :Category > 
</ql:Policy> 
- <ql:Policy> 

- <GPO 

J?dentmer tP: " 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 
<Do m a" A "" 8642 '^ 

/G xmh s --http://www.mic soft.com/Sr upPolicy/Types">gp mc dem..c m</ 

< Precedence 
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xmlns="http://www.microsoftxom/GroupPolky/Settings/Base">l</Precedenc e > 
<ql:Name>Hides the Manage item on the Windows Explorer /" ece <Jence> 

context menu</ql:Name> 

<ql:State>Enabled</ql:State> 

<ql: Explain > Removes the Manage item from the Windows 

riaht°X^- e ? me 1 u - f his context menu ap P ears when V°" 

right-click Wmdows Explorer or My Computer.\n\nThe Manage 
item opens Computer Management (Compmgmt.msc), a 
console tool that includes many of the primary Windows 2000 
administrative tools, such as Event Viewer, Device Manager, 
and Disk Management. You must be an administrator to use 
many of the features of these tools.\n\nThis setting does not 
remove the Computer Management item from the Start menu 
(Start, Programs, Administrative Tools, Computer 
Management), nor does it prevent users from using other 
methods to start Computer Management. \n\nTip: To hide all 
context menus, use the "Remove Windows Explorer's default 
context menu" setting. </ql:Explain> aerauit 

<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql:Category> Windows Components/Windows 
Explorer</ql;Category> 
</ql:Policy> 



- <ql:Policy> 
- <GP0 



xmlns= ,, http://www.microsoft.com/GroupPolicv/TvDes"> 
<Doma 5 if A61 " 864 ^ 

</GP0> S= h " P: " 
< Precedence 

<ql:Name>No "Entire Network" in MyNetworJpTacS^ qT^ame" >1</Pr6Ceder 
<ql:State>Enabled</ql:State> 

<ql:Explain>Removes all computers outside of the user's 
workgroup or local domain from lists of network resources in 

2St2S* ^° rer and My NetWork Pla «s.\n\nlf you enable 
this setting, the system removes the Entire Network option and 
the icons representing networked computers from My Network 
Places and from the browser associated with the Map Network 
Drive option.\n\nThis setting does not prevent users from 
viewing or connecting to computers in their workgroup or 
domain. It also does not prevent users from connecting to 
remote computers by other commonly used methods, such as 
by typmg the share name in the Run dialog box or the Map 
Network Drive dialog box.\n\nTo remove computers in the 
user s workgroup or domain from lists of network resources 
use the "No "Computers Near Me" in My Network Places" 
setting.\n\nNote: It is a requirement for third-party 

t a o PP i' i C c a co^?• S Witl ? W L ndows 2000 ' 'ater certification to adhere 
to this setting.</ql: Explain > 

<ql:Supported>At least Microsoft Wind ws 2000</ql:Supported> 
<ql :Category> Windows C mponents/Wind ws 
Expl rer</ql:Category> 



Page 40 of 75 



</ql:Policy> 

- <ql:Policy> 
- <GPO 

xmlns="http://www.micr s ft.c m/GroupPolicv/TvDes"> 

{B8523A61-8642-4913.8B00.7DCA994602DC></Identifier> 

<Domain 

< /G lo> s ~ httpi//www ^^ 

< Precedence 

^nTM 5 " ,,h " p://wwW - mjcrosoft - com / Grou PPolicy/Settings/Base">l</Preceder 
<ql:Name>Remove Hardware tab</ql:Name> recede r 

< q 1 : State > Enabled </q l .- State > 

<ql:Explain>Removes the Hardware tab.\n\nThis setting 

InH°A V w S tH o Hardware tab from Mouse, Keyboard, and Sounds 
and Audio Devices in Control Panel. It also removes the 
Hardware tab from the Properties dialog box for all local 
drives, including hard drives, floppy disk drives, and CD-ROM 
drives. As a result, users cannot use the Hardware tab to view 
or change the device list or device properties, or use the 
Troubleshoot button to resolve problems with the 
device.</ql:Explain> 
<ql:Supported>At least Microsoft Windows 2000</ql:Supported> 

<ql : Category > Windows Components/ Windows 
Explorer</ql :Category> 
</ql: Policy > 
- <ql:Policy> 

- <GPO 

iTdentlfier^ 

xmlns= ,, http://www.microsoft.com/GroupPolicv/TvDes ,, > 
<Do B ma 5 if A61 " 8642 "^ 

</Gror =, ' http://www,microsoft - com/Group 

< Precedence 

xmlns=''http://www.microsoft.com/GroupPolicy/Settings/Base'>l</Preceder 
<ql:Name>Prevent removable media source for anv >i</Hreceder 

install</ql:Name> 

<ql:State>Enabled</qi:State> 

<ql: Explain > Prevents users from installing programs from 
removable media.\n\nlf a user tries to install a program from 
removable media, such as CD-ROMs, floppy disks, and DVDs^ 
message appears, stating that the feature cannot be 

rMn^« Xn I hiS S6t ? ing apP ' ies even wnen the installation is 
running ,n the user's security context.\n\nIf you disable this 

miS", 9 °k " ot . confiaure ^ users can install from removable 
media when the mstallation is running in their own security 
context, but only system administrators can use rem vable 
media when an installation is running with elevated system 
privileges, such as installations ffered on the desktop or in 
Add or Remove Pr grams.\n\nAlso, see the "Enable user to 
use media source while elevated setting" in Computer 
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C nfigurati n\Administrative Templates\ Windows 

Components\Windows Installer.\n\nAlso, see the "Hide the 
•Add a program from CD-ROM or fl ppy disk' option" setting in 
User Configuration \Administrative Templates\Control 
Panel\Add or Remove Programs.</ql:Explain> 
<ql:Supported>At least Micr soft Windows 2000</ql: Supported > 
<ql:Category> Windows Components/Windows 
Installer</ql:Category> 
</ql:Policy> 

- <ql:RegistrySetting> 

- <GPO 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO^ S= httP://WWWm,CrOSOftCOm/GrOUpP °^ 

< Precedence 

<ql:KeyPath>Software\Policies\Microsoft\MMC</ql:KeyPath> ^ recea er 
<ql :AdmSetting>false</ql : AdmSetting> 
</ql : RegistrySetting > 

- <ql:RegistrySetting> 

- <GPO 

^J^=^J t P : // www -m'c«'osoft.com/GroupPolicy/Settings/Base l, > 

xmlns="http://www.microsoft.com/GroupPolicy/TvDes"> 

<B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= ' http://WWW - microsoft - com/Grou P p ° lic y/Types">gpmcdemoxom</ 

< Precedence 

xmlns='http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<ql:KeyPath>Software\Policies\Microsoft\Internet i</Hreceder 

Expiorer\Control Panel</ql:KeyPath> 
<q 1 : Adm Setting > false </q 1 : Ad m Setting > 
</ql: RegistrySetting > 
• <ql:RegistrySetting> 

- <GPO 

xmlns='http : //www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GpSr = httP://WWWmiCr ° SOft ' COm/GrOUpPoliCy ^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 

<ql:AdmSetting>false</ql:AdmSetting> r 
</ql: RegistrySetting > 
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- <ql:RegistrySetting> 
- <GPO 

xmlns="http://www.micros ft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicv/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> S= " http://www - micros ft <WGroupPolicy/Types»>gpmcdemoxom</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 

<ql^eyPath>Software\Policies\Microsoft\Windows\Installer</qlKevPath> 

<ql:AdmSetting>false</ql:AdmSetting> »«w</qi.KeyPath> 

</ql:RegistrySetting> 

- <ql:RegistrySetting> 

- <GPO 

iw l entlfie" P://WWW,miCrOSOft * C ° m/Gr ^ 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</GPO> S= httP://WWW * miCrOS ° ft,COm/6rOUpPO,iCy/T ^ 

< Precedence 

<ql:KeyPath>Software\Policies\Microsoft\Internet /^receaer 
Explorer\Infodelivery\Restrictions</ql:KeyPath> 

<ql:AdmSetting>false</ql:AdmSetting> 
</ql:RegistrySetting> 

- <ql:RegistrySetting> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GPO> $= HttP://WWW ^ 

< Precedence 

<ql:KeyPath>Software\Policies\Microsoft\Windows\Task /^eceder 
Scheduler5.0</ql:KeyPath> 

<ql:AdmSetting>false</ql:AdmSetting> 
</ql:RegistrySetting> 
<ql:RegistrySetting> 
- <GPO 

iTdenSer P://WWW,m,CrOSOft,COm/GrOUpP °^ 

xmlns="http://www.microsoft.com/GroupPolicy/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

xmlns="http://www.micros ft.com/Gr upPolicy/Types">gpmcdem .c m</ 
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</GPO> 

< Precedence 

xmlns=»http://www.micros ft.c m/GroupPolicy/Settings/Base">K/Preceder 

<ql:AdmSetting>false</ql:AdmSetting> 
</ql:RegistrySetting> 

- <ql:RegistrySetting> 

- <GPO 

iwentlfie" P://WWW * m,CrOSOft ' COm/G 

xmlns= "http://www.microsoft.com/GroupPolicv/TvDes"> 

{B8523A61-8642-4913-8B00-7DCA994602DC></Identifier> 

<Domain 

</GPO> nS= " http://WWWmicrosoft - c ^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 

<ql:KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\Uninsta 
<ql:AdmSetting>false</ql:AdmSetting> n\Koncies\uninsta 

</ql:RegistrySetting> 

- <ql:RegistrySetting> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns= "http://www.microsoft.com/GroupPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GTO> S= Hhttp://WWW,micr ° soft - com/Grou P Po,i cy/Types»>gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base">l</Preceder 

<ql:KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\Networl 

<ql:AdmSetting>false</ql:AdmSetting> °"cies\Networl 

</ql:RegistrySetting> 

- <ql:RegistrySetting> 
- <GPO 

xmlns=''http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< identifier 

xrnlns="http://www.microsoft.com/GroupPolicy/Types"> 

{9DE1E409-B0BF.4ECF-BCE1-F18B828768B4></Identifier> 

<Domam 

</GPO>" S= httP://WWWmiCr ° SOft - COm/GrOUpP 

< Precedence 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base">K/Preceder 

<n < i q iHS!fK h>SOf f Wa ? XMiCr soft \ Wind ws\CurrentVersion\Policies\Explore 

<ql:AdmSetting>false</ql:AdmSetting> F 

</ql:RegistrySetting> 
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- <ql:RegistrySetting> 
- <GPO 

iwentlfief tP://WWW,miCr soft com/6rou P Po,ic y/Settings/Base"> 

xmlns= M http://www.micr soft.c m/GroupPolicy/TvDes"> 
<,2J a " 3A6 ^ 

</Gro> S= " httP!//WWW,miCr S ftC m / Grou P p °^y/Types»>gpmcdemo.com</ 
< Precedence 
xmlns=, http://www.microsoftxom/G^ 

Connections</ql : KeyPath > 

<ql:AdmSetting>false</ql:AdmSetting> 
</ql:RegistrySetting> 

<ql:RegistrySetting> 

- <GPO 

iTdentlfie" P://WWW ' miCrOSOft,COm/G 
xmlns="http://www.microsoft.com/GroupPolicv/TvDes ,, > 

</GpS> S= " httP://WW ^^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Bas e ">K/Preceder 

<q^AdS^ 
</ql:RegistrySetting> 
<ql:RegistrySetting> 

- <GPO 

iTdentlne" P://WWW " miCrOS ° ft ' COm/GrOUP 

{B8523A61.8642-4913-8B00-7DCA994602DC}</Identifier> 

^ L/Ornsin 

</Gro> s= " http:/ ^ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicv/Settinn«/R a o a »>>i^/D 
<fKeyPath>Software\Po.ic^ 

Connections</ql:KeyPath> 

<ql:AdmSetting>false</ql:AdmSetting> 
<ql:Value> 

<ql:Name>NC_ShowSharedAccessUI</qi.Name> 

<ql:Number>0</ql:Number> 
</ql:Value> 

/ql:RegistrySetting> 

ql:RegistrySetting> 

<GPO 

^dentlfie" P://WWW ' mlCrOSOft,C m/Gr UpP ,ic V/ s <*tings/Base"> 
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xmins="http://www.micros ft.com/GroupPolicy/Types "> 
<( ^523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

</GPO> S ~ httP!//WWW ' miCr S ft - com/Gr u PPolicy/Types">gpmcdemo. C m</ 

< Precedence 

xmlns="http://www.micr soft.com/GroupPolicy/Settings/Base">K/Preceder 

</ql : RegistrySetting> 
<ql:RegistrySetting> 

- <GPO 

^dentlfie" P://WWW,miCrOSOft,C °^ 

r™rI ,http://www,microsoft - com / Gro «PPolicy/Types"> 

{B8523A61-8642-4913-8B00-7DCA994602DC}</Identi^ 

<Domain 

</GTOr = ' http://wwwmicrosoft ' com/GroupPo,ic y /T ^ 

< Precedence 

xmlns="http://www.microsoft.com/Grou P Policy/Settings/Base">l</Preceder 

</ql:RegistrySetting> 
<ql:RegistrySetting> 

- <GPO 

^Tdentlfie" P://WWW ' miCr ° SOft ' COm/GrOUpP 
xmlns="http://www.microsoft.com/GroupPolicv/TvDes ,, > 

</G^0> S=httP://WWW ' miCr0S ° ft - COm/GrOUpPo ^ 

< Precedence 

xm ' ns ="httpy/www.microsoftxom/GroupPolicy/Setti 
<ql:KeyPath>Software\Policies\Microsoft\Internet gs/Base >1</Preceder 
Explorer\Restrictions</ql:KeyPath> 

<ql :AdmSetting>false</ql :AdmSetting> 
/ql:RegistrySetting> 

ql:RegistrySetting> 
<GPO 

^Tdentifie" P://WWWmiCrOSOft " COm/GrOU 



xmlns-"http://www.microsoft.com/GroupPolicv/TvDes"> 
<Do B ma 5 " A61 ' 8642 " 4913 ' 8B °°' 7DCA994602DC >^^^^^^ 

</Gmr = ' httP://WWW,miCrOSOft - COm/Gr0 ^ 

< Precedence 

xmlns="http://www.microsoft.c m/GroupPolicv/Settinas/Rase">i ^/p ro ^r 
<ql:KeyPath>Software\P licies\Micr s ft\Wlnd^\SS5l >1</Preceder 
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Panel\Deskt p</ql:KeyPath> 

<ql:AdmSetting>false</ql:AdmSetting> 
</ql:RegistrySetting> 
</Extension> 
<Name 

^eS^"^;"^"™'" soft - c ^/GroupPolicy/Settings»>Registry</Name> 

<ExtensionData> 
- < Extension 

xmlns:q2="http://www.microsoft.com/GroupPolicy/Settinas/IE'' 
xsi:type="q2:InternetExplorerSettings" 

vmlnr~"Uu H .// - — 



xmlns="http://www.microsoft.com/GroupPolicy/Settings"> 

<q2 : PreferenceMode >false </q2 : PreferenceMode> 



- <q2:DeleteAdminFavoritesOnly> 
- <GPO 



X TJ n ^ = I http://www • microsoft • com / Grou PPol■cy/Settings/Base"> 

<Identmer 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

■CB8523A61-8642-4913-8B00-7DCA994602DC}</Identifier> 

<Domain 

</GTO> S=,httP://WWW ' miCrOSOft - COm/GrOUpPO,i ^ 

<Precedence 

</q2:DeleteAdminFavoritesOnly> 
- <q2:HomePage> 
- <GPO 

iTdentlne" P://WWW " miCr ° SOft ' COm/GrOUpP0h 

xmlns^'http^/www.microsoft.com/GroupPolicy/Types'^ 
<Domain 11EA ' A625 " 4FC7 "^ 2D - E49880A31B5 3}</Identifier> 

</GTO> S= httP://WWW,miCr ° SOftCOm/GrOUpPoli ^ 

< Precedence 

xmlns='http://www.microsoft.com/GroupPolicy/Settings/Base">l</Prec G dPr 

<q2: V alue>file:///C:/Demo/Reports/spec.f,tm</q2:Va| U e? 

</q2:HomePage> 

</Extension> 
<Name 

Explorer Maintenance</Name> 

</ExtensionData> 
<ExtensionData> 
<Extension 

< ^ n l ) n e S -' ,htt P : // www •microsoft.com/GroupPolicy/Settings•' /> 

xmlns="http://www. m icr s ft.com/GroupPolicy/Settings">Folder 
Redirecti n</IMame> 
</ExtensionData> 
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- <ExtensionData> 
- < Extension 

xmlns:q4=''http://www.microsoftx 

xsi:type= M q4:PublicKeySettings" uuncivey 

xmlns== M http://www.microsoft.com/GroupPolicy/Settings"> 

- <q4:AutoEnrollmentSettings> 

<q4:RenewUpdateRevoke>false</q4:RenewUpdateRevoke> 

<q4:UpdateTemplates>false</q4:UpdateTemplates> 
</q4:Options> 

</q4:AutoEnrollmentSettings> 
</Extension> 
<Name 

xmlns- , http://www.microsoftxom/GroupPolicy/Setting 

Key</Name> * 

</ExtensionData> 
</UserResults> 
- <ComputerResults> 

<Version>2228227</Version> 
<Name>GPMCDEMO\WS03EE$</Name> 
<Domain>GPMCDemo.com</Domain> 
<SOM>GPMCDemo.com/Domain Controllers</SOM> 
<Site>Default-First-Site-Name</Site> 

- <SearchedSOM> 

<Path>GPMCDemo.com/Domain Controllers</Path> 

<Type>OU</Type> 
<0rder>4</Order> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 

<Reason>Normal</Reason> 

</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.com</Path> 

<Type>Domain</Type> 

<0rder>3</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
<Reason>Normal</Reason> 
</SearchedSOM> 

- <SearchedSOM> 

<Path>GPMCDemo.com/Configuration/Sites/Default-First-Site- 

Name</Path> 

<Type>Site</Type> 
<0rder>2</0rder> 

<BlocksInheritance>false</BlocksInheritance> 
<Blocked>false</Blocked> 
< Reason > Normal </Reason > 
</SearchedSOM> 

- <SearchedSOM> 

<Path>Local</Path> 
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<Type>Local</Type> 
<Order>l</Order> 

<BlocksInheritance>false</BlocksInheritance> 

< Blocked > false </Blocked > 
<Reason>N rmal</Reason> 

</SearchedSOM> 

- <SecurityGroup> 

< 5 I 44 XI /SID = http://WWW ' microsoft com / Gr oupPolicy/Types">S-l-5-32- 

<Name 

</Sec^rityGrouT> //WWW ' mk 1 

- <SecurityGroup> 

<SID xmlns= "http://www.microsoft.com/GroupPolicy/Types">S-l-l- 

<Name 

</Sec m u^^ 

- <SecurityGroup> 

<SID xmlns= M http://www.microsoft.com/GroupPolicy/Tvpes">S-l-5-32- 
554</SID> 

<Name 

xmlns= "http://www.microsoft.com/GroupPolicy/Types ">BUILTIN\Pre- 
W.ndows 2000 Compatible Access </Na me > X re 

</SecurityGroup> 

- <SecurityGroup> 

<SIDxmlns="http://www.microsoft.com/GroupPolicv/TvDes ,, >S-l-5-32- 

545</SID> * 

<Name 

- <SecurityGroup> 

<SID xmlns= ,, http://www.microsoft.com/GroupPolicy/Tvpes">S-l-5-32- 

560</SID> 

<Name 

Authorization Access Group</Name> 

</SecurityGroup> 

- <SecurityGroup> 

<SID xmlns= M http://www.microsoft.com/GroupPolicy/Types">S-l-5- 

2 ^ / S I D ^ 

<Name xmlns="http://www.microsoft.com/GroupPolicv/TvDes">NT 
AUTHORITY\NETWORK</Name> 

</SecurityGroup> 

<SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-l-5- 

<Namexmlns="http://www.microsoft.com/GroupPolicv/TvDes">NT 
AUTHORITY\AuthenticatedUsers</Name> 

</SecurityGroup> 

<SecurityGroup> 

<SID xmlns= "http://www.micr soft.c m/GroupPolicy/Types">S-l-5- 

15 ^/SID^ 
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<Name xmlns= , 'http://www.microsoft.com/GroupPolicv/TvDes ,, >NT 
AUTHORITY\This Organization </Name> 
</SecurityGroup> 

- <SecurityGroup> 

<SIDxmlns="http://www.microsoft.c m/GroupPolicy/TvDes">S-l-5-2i- 

3236881260-3653063036-2003513472-1003</SID> 

<Name 

</Sectrit7Grou^ 

- <SecurityGroup> 

<SID xmlns="http://www.microsoft.com/GroupPolicv/TvDes">S-l-5-2i. 

3236881260-3653063O36-2O03513472-516</SID> 

<Name 

ConTrolle^ 

</SecurityGroup> 

- <SecurityGroup> 

<SIDxmlns="http://www.microsoft.com/GroupPolicv/TvDes">S-l-s- 

9</SID> 

<Name xmlns="http://www.microsoft.com/GroupPolicy/TvDes">NT 
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS</Name> 

</SecurityGroup> 

<SlowLink>false</SlowLink> 

- <ExtensionStatus> 

<Name>Security</Name> 

<Identifier>{827D319E-6EAC-llD2-A4EA-00C04F79F83A}</Identifier> 

<BeginTime>2003-04-10T21:38:03.0000000-07:00</BeginTime> 

<EndTime>2003-04-10T21:38.10.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 

</ExtensionStatus> 

- <ExtensionStatus> 

<Name>Registry</Name> 

<Identifier>{35378EAC-683F-llD2-A89A-00C04FBBCFA2></Identifier> 

<Beg.nTime>2003-04-10T21:47:04.0000000-07:00</BeginTime> 

<EndTime>2003-04-10T21:47:05.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 
</ExtensionStatus> 
• <ExtensionStatus> 

<Name>Group Policy Infrastructure</Name> 

<Identifier>{O0OO0O0O-OOOO-OO00-O0OO-0OOOOO00OOO0}</Identifier> 

<BeginTime>2003-06-27T23:37:31.0000000-07:00</BeginTime> 

<EndTime>2003-06-27T23:37:32.0000000-07:00</EndTime> 

<LoggingStatus>Complete</LoggingStatus> 
<Error>0</Error> 

</ExtensionStatus> 

<ExtensionStatus> 

<Name>EFS recovery</IMame> 

<Identmer><BlBE8D72-6EAC-llD2-A4EA-00C04F79F83A}</Identifier> 

<BeginT.me>2003-04-09T16:42:30.0000000-07:00</BeginTime> 

<EndTime>2003-04-09T16:42:38.0000000-07:00</EndTime> 
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<LoggingStatus>NotSupported</LoggingStatus> 
<Error>0</Error> 

</ExtensionStatus> 
- <GPO> 

<Name>Default Domain Policy</Name> 
- <Path> 

<Identifierxmlns="http://www.microsoft.coiT 



{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

Domain 

xmhs="http://www.microsoftxom/GroupPolicy/Types»>gpmcdemoxom</Don 



<VersionDirectory>3</VersionDirectory> 

<VersionSysvol>3</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath >GPMCDemo.com </SOMPath > 

<SOMOrder>3</SOMOrder> 

<AppliedOrder>3</AppliedOrder> 

<Link0rder>4</Link0rder> 

<Enabled>true</Enabled> 

<NoOverride>false</NoOverride> 
</Link> 

</GPO> 

- <GPO> 

<Name>WW ITG Policy</Name> 

- <Path> 



lns=»http://www.micro S oft.com/GroupPolicy/Types">gpmcdemo.coni</Don 



<VersionDirectory>K/VersionDirectory> 

< VersionSysvol> K/VersionSysvol> 
<Enabled>true</Enabled> 

< Is Va I id > tr u e </Is Va I id > 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com</SOMPath> 

<SOMOrder>2</SOMOrder> 

<AppliedOrder>5</AppliedOrder> 

<LinkOrder>3</LinkOrder> 

<Enabled>true</Enabled> 

<NoOverride>true</l\loOverride> 
</Link> 

</GPO> 

- <GPO> 

<Name>WW EFS Recovery Policy</Name> 

- <Path> 




>es"> 
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identifier xmlns="http://www.microsoft.c m/GroupPolicv/TvDes"> 

{7FB311EA-A625-4FC7-AA2D-E49880A31B53></Identifier> 

< Domain 

</Path> S= httP://WWWmiCr Softcom/Gr u PPo'icy/Types">gpmcdem .com</Don 

<VersionDirectory>K/VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com</SOMPath> 
<SOMOrder> l</SOMOrder> 

<AppliedOrder>2</AppliedOrder> 

<LinkOrder>2</LinkOrder> 

<Enabled>true</Enabled> 

<NoOverride>false</IMoOverride> 
</Link> 

</GPO> 

- <GPO> 

<Name>Default Domain Controllers Policy</Name> 

- <Path> 

<Identifierxmlns="http://www.microsoft.com/GroupPolicy/Tvpes"> 

■C6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

</Pa X th> S= httP://WWW " miCr ° SOft ' COm/Gr0upPo1 ^ 

<VersionDirectory>4</VersionDirectory> 

<VersionSysvol>4</VersionSysvol> 

<Enabled>true</Enabled> 

<IsValid>true</IsValid> 

<FilterAllowed>true</FilterAllowed> 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>GPMCDemo.com/Domain Controllers</SOMPath> 

< SOMOrder > K/SOMOrder> 

<Applied0rder>4</Applied0rder> 

<LinkOrder>5</LinkOrder> 

<Enabled>true</Enabled> 

<NoOverride>false</NoOverride> 
</Link> 

</GPO> 

<GPO> 

<Name>Local Group Policy</Name> 

- <Path> 

<Identifier 

</Pa X th> S= httP!//WWW ' miCrOSOft,COm/GrOUpPo,icy ^ 

<VersionDirectory>l</VersionDirectory> 

<VersionSysvol>l</VersionSysvol> 

<Enabled>true</Enabled> 
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< Is Va I id > tr ue </Is Va I id > 

< FilterAllowed>true</FilterAllowed > 

<AccessDenied>false</AccessDenied> 

- <Link> 

<SOMPath>Local</S0MPath> 
<SOMOrder> K/SOMOrder> 
<AppliedOrder> 1</Applied0rder> 
<LinkOrder>l</LinkOrder> 
<Enabled>true</Enabled> 
< NoOverride >f alse </NoOverride > 
</Link> 
</GPO> 
- < Extension Data > 

- < Extension 

xmlns:q5="http://www.microsoft.com/GroupPolicy/Settings/Securitv" 
xsi:type="q5:SecuritySettings" y 

xmlns="http://www.microsoft.com/GroupPolicy/Settings"> 

- <q5:Account> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

</GPO> S= , ' http://WWWmicrosoft - com/Grou P |,olic y/ T yP^">gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 

<q5:Name>MaxServiceAge</q5:Name> ^/rreceaer 

<q5:SettingNumber>600</q5:Settingl\lumber> 
<q5:Type>Kerberos</q5:Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

</GPO> S= " http://WWW - micr ° soft ' com/Grou P Polic y/Types">gpmcdemo.com</ 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>MaxTicketAge</q5:Name> /freceaer 

<q5:SettingNumber>10</q5:SettingNumber> 
<q5:Type>Kerberos</q5:Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns="http://www.micros ft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 
{31B2F340-016D-11D2-945F-00C04FB984F9></Identifier> 
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<Domain 

</GPO> S= httP//WWWmiCrOS ftcom/Gr u P Polic y/ T VP e s H >gpmcdem .com</ 

< Precedence 

xmlns="http://www.microsoft.com/Gr upPolicy/Settings/Base">l</Preceder 
<q5:Name>MinimumPassw rdAge</q5:Name> 
<q5:SettingNumber>l</q5:SettingNumber> 

< q 5 : Ty pe > Pa ss wo rd </q 5 : Type > 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9></Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types ,, > 

</GPO> 

< Precedence 

xmlns= n http://www.microsoftxom/GroupPolicy/Settings/Base">l</Prec 
<q5:Name>PasswordHistorySize</q5:Name> 

<q5:SettingNumber>24</q5:SettingNumber> 
<q5:Type>Password</q5:Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

</GPO> S= httP://WWW ' miCrOSO 

<Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M >K/Preceder 
<q5:Name>MaxClockSkew</q5:Name> 

<q5:SettingNumber>5</q5:SettingNumber> 

<q5 :Type> Kerberos</q5 :Type > 

</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base , > 

<Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

</GPO> S= http://WWW " mkrOSOft,com/Grou P Po 

< Precedence 

xmlns="http:// www.micr soft.c m/GroupPolicy/Settings/Base"> K/Preceder 
<q5:Name>MinimumPasswordLength</q5:Name> 

<q5:SettingNumber>7</q5:SettingNumber> 
<q5:Type>Password</q5:Type> 
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</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= M http://www.micr s ft.c m/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns= M http://www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns= , http://www.microsoft.com 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M >l</Precede^ 
<q5:Name>LockoutBadCount</q5:Name> 

<q5:SettingNumber>0</q5:SettingNumber> 

<q5:Type> Account Lockout</q5:Type> 

</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPoIicy/Settings/Base ,, > 

identifier 

xmlns= M http:// www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M >K/Preceder 
<q5:Name>MaximumPasswordAge</q5:Name> 

<q5:SettingNumber>42</q5:SettingNumber> 
<q5:Type>Password</q5:Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= n http://www.microsoft.com/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types M > 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns= , http://www.microsoft.com/GroupPolicy/Types , >gpmcdemo.com<y 

</GPO> 

< Precedence 

xmlns= H http://www.microsoft.com/GroupPolicy/Settings/Base M >l</Preceder 
<q5:Name>MaxRenewAge</q5:Name> 

<q5:SettingNumber>7</q5:SettingNumber> 

<q5 :Type > Kerberos</q5 :Type > 

</q5:Account> 

■ <q5:Account> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns='http://www.microsoft.com/GroupP licy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 
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xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</Don 

</GPO> 

< Precedence 

xmlns="http://www.micr soft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>TicketValidateClient</q5:Name> 
<q5:SettingBoolean>true</q5:SettingBoolean> 
<q5 :Type > Kerberos</q5 :Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base ,, > 

<Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9></Identifier> 

<Domain 

xmlns="http://www.microsof^^ 

</GPO> 

<Precedence 

xmlns= 'http://www.mkrosoft.com/GroupPolicy/Settings/Base M >l</Preceder 
<q5:Name>PasswordComplexity</q5:Name> 
<q5 : SettingBoolean >true</q5 : SettingBoolean > 
<q5:Type> Password </q5:Type> 
</q5:Account> 

- <q5:Account> 

- <GPO 

xmlns= H http://www. microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns= M http:// www. microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

<Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preced^r 
<q5 : Name>ClearTextPassword </q5 : Name> 

<q5:SettingBoolean>false</q5: SettingBoolean > 
<q5:Type>Password</q5:Type> 
</q5:Account> 
* <q5:Audit> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

< Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> K/Preceder 
<q5:Name>AuditPolicyChange</q5:Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 

<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 
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- <q5:Audit> 

- <GPO 

xmlns='http://www.microsoft.c m/GroupPolicy/Settings/Base"> 

<Identifier 

xmins = "http://www.microsoft.c m/Gr upPolicy/Types "> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.micr soft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>AuditPrivilegeUse</q5:Name> 

<q5:SuccessAttempts>false</q5:SuccessAttempts> 
<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

- <q5:Audit> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= "http://www.microsoft.com/GroupPolicy/Types ">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base ,, >K/Preceder 
<q5:Name>AuditDSAccess</q5:Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 

<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

- <q5:Audit> 

- <GPO 

xmlns= "http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5 : Name> AuditAccountLogon </q5 : Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 

<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

• <q5:Audit> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.microsoft.c m/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.micros ft.com/Gr upP licy/Types">gpmcdemo.com</ 



Page 57 of 75 



</GPO> 

< Precedence 

xmlns="http://www.micros ft.com/GroupPolicy/Settings/ Base">K/Preceder 
<q5:Name>AuditObjectAccess</q5:Name> 
<q5:SuccessAttempts>false</q5:SuccessAttempts> 
<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

- <q5:Audit> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base H > 

<Identifier 

xmlns='http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F.llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= , http://www.microsoft.com/GroupPolicy/Types u >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns='http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>AuditAccountManage</q5:Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 
<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

- <q5:Audit> 

- <GPO 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>AuditLogonEvents</q5:Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 

<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

• <q5:Audit> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<q5:Name>AuditProcessTracking</q5:Name> 

<q5:SuccessAttempts>false</q5:SuccessAttempts> 

<q5 : FailureAttempts>false</q5 : FailureAttempts> 
</q5:Audit> 
<q5:Audit> 
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- <GPO 

xmlns="http://www. microsoft.com/GroupP !icy/Settings/Base"> 

<Identifier 

xmlns="http://www.micr soft.c m/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www. micros ft.com/GroupPolicy/Types">gpmcdemo.c m<7 

</GPO> 

<Precedence 

xmlns= M http://www.microsoft.com/GroupPoiicy/Settings/Base M >l</Preceder 
<q5:Name>AuditSystemEvents</q5:Name> 

<q5:SuccessAttempts>true</q5:SuccessAttempts> 
<q5:FailureAttempts>false</q5:FailureAttempts> 
</q5:Audit> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns='http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GP0> 

< Precedence 

xmlns="http:// www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeMachineAccountPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types">Authenticated 

Users</Name> 

</q5:Member> 
</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GP0 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GP0> 

< Precedence 

xmins= M http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<q5:Name>SeDenyNetworkLogonRight</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types">GPMCDEMO\SUPP 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GP0 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 



Page 59 of 75 



xmlns="http://www.microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns='http://www.micr s ft.com/6r upPolicy/Types">gpmcdemo.c m</ 

</GPO> 

< Precedence 

xmlns="http://www.micr soft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeRestorePrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">Server 
Operators</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= , http://www.microsoft.com/GroupPolicy/Types n >Backup 
Operators</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns = M http://www.microsoftxom/GroupPolicy/Types ,, >Administrato 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns = "http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GP0> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeTcbPrivilege</q5:Name> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPoIicy/Settings/Base"> 

<Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeSystemProfilePrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http://www.microsoft.com/GroupP I icy/ Types ">Administrators</r 

</q5:Member> 

</q5:UserRightsAssignment> 
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- <q5:UserRightsAssignment> 

- <GPO 

xmlns= 'http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns="http://www.microsoft.com/GroupP licy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www,microsoft.com/GroupPolicy/Settings/Base M >l</Preceder 
<q5:Name>SeDenyServiceLogonRight</q5:Name> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns^'http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= n http://www.microsoft.com/GroupPolicy/Types n >gpmcdemo.com</ 

</GPO> 

<Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeServiceLogonRight</q5:Name> 

- <q5:Member> 

<Name 

xmlns = M http:/ /www. microsoft. com/ GroupPolicy/Types"> NETWORK 
SERVICE</Name> 

</q5:Member> 
</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base , > 

<Identifier 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M > 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M >K/Preceder 
<q5:Name>SeUndockPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns= n http://www.microsoft.com/GroupPolicy/Types M >Administrators</P 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns^ 'http://www.micr soft.com/GroupPolicy/Settings/Base'> 

identifier 

xmlns= M http://www.microsoft.com/GroupPolicy/Types"> 
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{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/Grou^ 

</GPO> 

< Precedence 

xmlns="http://www.micr soft.c m/GroupPolicy/Settings/Base'> 1</Preceder 
<q5:Name>SeRemoteInteractiveLog nRight</q5:Name> 

- <q5:Member> 

<Name 

xmlns = M http://www.microsoftxom/GroupPolicy/Types">GPMCDEMO\Domi 

Users</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= u http://www.microsoft.com/GroupPolicy/Types n >TESTl 
\Domain Users</Name> 

</q5:Member> 
</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns='http://www.microsoft-com/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9></Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Settings/Base n >l</Preceder 
<q5:Name>SeCreatePermanentPrivilege</q5:Name> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns= M http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-O0C04fB984F9}</Identifier> 

<Domain 

xmlns = "http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M >K/Preceder 
<q5:Name>SeAuditPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types n >NETWORK 
SERVICE</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns="http://www.micr s ft.c m/GroupPolicy/Types">LOCAL 
SERVICE</Name> 

</q5:Member> 
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</q5 : UserRightsAssignment> 
<q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www.micr s ft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.micros ft.com/Gr upPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types">gpmcdemo.com 

</GPO> 

< Precedence 
xmlns= M http://www.microsoft.com 

<q5:Name>SeTakeOwnershipPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns = M http://www.microsoft.com/GroupPolicy/Types M >Administrators< 

</q5:Member> 

</q5:UserRightsAssignment> 
<q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns= M http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= n http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns== M http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeCreatePagefilePrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns = 'http://www.microsoft.com/GroupPolicy/Types M >Administrators</r 

</q5:Member> 

/q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 

xmlns= M http://www,microsoft.com/GroupPolicy/Settings/Base M > 

identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeEnableDelegationPrivilege</q5:Name> 

<q5:Mernber> 

<Name 

xmlns='http://www.micros ft.c m/GroupPolicy/Types">Administrat rs</f 

</q5:Member> 

/q5:UserRightsAssignment> 
q5:UserRightsAssignment> 
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- <GPO 

xmlns= M http://www.micr s ft.com/GroupPolicy/Settings/Base M > 

<Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9></Identifier> 

<Domain 

xmlns='http://www.micr s ft.c m/Gr upPolicy/Types">gpmcdemo.c m</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base M >l</Preceder 
<q5:Name>SeDebugPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M >Administrato 

</q5:Member> 

</q5:UserRightsAssignment> 
<q5:UserRightsAssignment> 

- <GPO 

xmlns= "http:// www.microsoft.com/GroupPolicy/Settings/Base 1 > 

<Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns = n http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

<Precedence 

xmlns= , http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeSystemTimePrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns= n http://www.microsoft.com/GroupPolicy/Types">Server 
Operators</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types">Administrators</r 

</q5:Member> 

7q5:UserRightsAssignment> 
q5 : UserRightsAssignment> 
<GPO 

xmlns="http://www.microsoft.com/GroupPoIicy/Settings/Base M > 

<Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9></Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preceder 
<q5:Name>SeDenyBatchL gonRight</q5:Name> 

/q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 
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xmlns='http://www.micr s ft.c m/Gr upPo!icy/Settings/Base"> 

<Identifier 

xmlns="http://www.micr soft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www. micros ft.com/GroupPolicy/Types n >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http.7/www.microsoft.com/Group 
<q5:Name>SeBackupPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types">Server 
Operators</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= n http://www.microsoft.com/GroupPolicy/Types">Backup 
Operators</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns = M http://www.microsoftxom/G™ 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www.microsoftxom/GroupPolicy/Settings/Base , > 

<Identifier 

xmlns = M http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= , http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeCreateTokenPrivilege</q5:Name> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-O0C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeChangeNotifyPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http://www.micros ft.com/GroupPolicy/Types">Pre 
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-Windows 2000 Compatible Access</Name> 
</q5:Member> 
• <q5:Member> 
<Name 

xmlns="http://www.micr soft.com/GroupP licy/Types">Authenticated 

Users</Name> 

</q5:Member> 
<q5:Member> 
<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >Administrators</r 

</q5:Member> 

<q5:Member> 
<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">Everyone</Name> 

</q5:Member> 

:/q5:UserRightsAssignment> 
:q5 : UserRightsAssignment> 
<GPO 

xmlns= M http://www.microsoft.com/GroupPo!icy/Settings/Base M > 

<Identifier 

xmlns= ,, http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types ,, >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeSyncAgentPrivilege</q5:Name> 

7q5:UserRightsAssignment> 
q5 : UserRightsAssignment> 
<GPO 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www,microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeProfileSingleProcessPrivilege</q5:Name> 

<q5:Member> 

<Name 

xmlns = "http://www.microsoft.com/GroupPolicy/Types">Administrators</r 

</q5:Member> 

/q5 : UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http://www.micr soft.c m/GroupP licy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 
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xmlns='http;//www.micr soft.com/Gr upP licy/Types">gpmcdem .com</Don 

</GPO> 

< Precedence 

xmlns= M http://www.micros ft.c m/GroupPolicy/Settings/Base M >l</Preceder 
<q5:Name>SeL adDriverPrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M >Print 

Operators </Name> 
</q5:Member> 
<q5:Member> 
<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types n >Administrators</P 

</q5:Member> 

/q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 

xmlns= M httpj//www.microsoft.com/GroupPolicy/Settings/Base ,, > 

< Identifier 

xmlns = ,, http://www.microsoft.com/GroupPolicy/Types ,, > 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns = n http://www.mkrosoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns='http://www. microsoft.com/GroupPolicy/Settings/Base'> 1</Preceder 
<q5:Name>SeInteractiveLogonRight</q5:Name> 

<q5:Member> 
<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Types M >Account 
Operators</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">Administrato 

</q5:Member> 

<q5:Member> 
<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types">Backup 
Operators</Name> 

</q5:Member> 
<q5:Member> 
<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types , >GPMCDEMO\D mi 

Users</Name> 

</q5:Member> 
<q5:Member> 
<Name 

xmlns= H http://www.microsoft.com/GroupPolicy/Types">Print 
Operators</Name> 

</q5:Member> 

<q5:Member> 

<Name 
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xmlns="http://www.micros ft.com/GroupPolicy/Types">Server 

Operators </Na me > 
</q5:Member> 

- <q5:Member> 

<Name 

xmlns= M http://www.micr soft.c m/Gr upPolicy/Types H >TESTl 
\D main Users</Name> 

</q5:Member> 
</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= , http://www.microsoft i com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns= M http://www.microsoft,com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft^^ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoftxom/GroupPolicy/Settings/Base M >l</Preced 
<q5:Name>SeRemoteShutdownPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns^"http://www.microsoft.com/GroupPolicy/Types ,, >Server 
Operators</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns="http://www.microsoftxom 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base M > 

< Identifier 

xmlns= M http://www.microsoft.com/GroupPo[icy/Types M > 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= ,, http://www.microsoftxom/GroupPolicy/Types , >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoftxom/GroupPolicy/Settings/Base M >l</Prece 
<q5:Name>SeIncreaseBasePriorityPrivilege</q5:Name> 

- <q5:Member> 

<Name 

xmlns= M http://www.microsoftxom 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= M http://www. microsoft.com/GroupP licy/Settings/Base M > 

< Identifier 

xmlns="http://www.microsoft.c m/Gr upPolicy/Types"> 
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{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www. microsoft.com/Gr upPolicy/Types ">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/Gr upPolicy/Settings/Base">K/Preceder 
<q5:Name>SeNetworkLogonRight</q5:Name> 

- <q5:Member> 

<Name 

xmlns="http:// www.microsoft.com/GroupPolicy/Types 1 > Pre 
-Windows 2000 Compatible Access</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >ENTERPRISE 
DOMAIN CONTROLLERS</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns=="http://www.microsoft.com/GroupPolicy/Types M >Authenticated 

Users</Name> 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Types n >Administrators</P 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns== M http://www.microsoft.com/GroupPolicy/Types M >Everyone</Name> 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">K/Preced^r 
<q5:Name>SeLockMemoryPrivilege</q5:Name> 

</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns= H http://www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http:// www.microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 
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< Precedence 

xmlns=="http://www.micr s ft.c m/GroupPolicy/Settings/Base">l</Preceder 
<q5:Name>SeShutdownPrivilege</q5:Name> 

• <q5:Member> 

<Name 

xmlns="http:// www. microsoft.com/Gr upPolicy/Types"> Print 
Operators</Name> 

</q5:Member> 

• <q5:Member> 

<Name 

xmlns= H http://www.microsoft.com/GroupPolicy/Types">Server 
Operators</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns= M http://www.microsoftxom/GroupPolicy/Types">Backup 
Operators</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns== M http://www.microsoft.com/GroupPolicy/Types">Administrators</r 

</q5:Member> 

:/q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 

xmlns= M http://www. microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns = "http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9></Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com<y 

</GP0> 

< Precedence 

xmlns='http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 
<q5:Name>SeSecurityPrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> Administrators</r 

</q5:Member> 

7q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GP0 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns = "http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GP0> 

< Precedence 

xmlns="http://www.micr soft.com/GroupPolicy/Settings/Base"> K/Preceder 
<q5:Name>SeAssignPrimaryTokenPrivilege</q5:Name> 

<q5:Member> 
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<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M >NETWORK 
SERVICE</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns= M http://www.micr soft.com/GroupPolicy/Types M >LOCAL 
SERVICE</Name> 

</q5:Member> 
/q5 : UserRightsAssignment> 
q5 : UserRightsAssignment> 
<GPO 

xmlns= M http://www.microsoft,com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns = M http://www.microsoft.com/GroupPolicy/Types ,, > 
{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types">gpmcdemoxom</ 

</GPO> 

< Precedence 
xmlns='http://www.microsoft.com/Grou^ 

<q5:Name>SeSystemEnvironmentPrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns = 'http://www.microsoftxom/GroupPolicy/Types">Administrators</r 

</q5:Member> 

/q5:UserRightsAssignment> 

q5:UserRightsAssignment> 

<GPO 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base ,, > 

< Identifier 

xmlns="http://www.microsoft.com/GroupPolicy/Types M > 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoftxom/GroupPolicy/Settings/Base n >l</Preceder 
<q5:Name>SeIncreaseQuotaPrivilege</q5:Name> 

<q5:Member> 
<Name 

xmlns= n http://www.microsoftxom/G^ 

</q5:Member> 
<q5:Member> 
<Name 

xmlns= ,, http://www.microsoft.com/GroupPolicy/Types M >NETWORK 
SERVICE</Name> 

</q5:Member> 

<q5:Member> 

<Name 

xmlns='http:// www. micros ft.com/GroupPolicy/Types n >LOCAL 
SERVICE</Name> 

</q5:Member> 
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</q5 : UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http://www. micros ft.c m/GroupPolicy/ Settings/ Base > 

<Identifier 

xmlns="http://www.micros ft.c m/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoftxom/GroupPolicy/Types ,, >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preced 
<q5:Name>SeBatchLogonRight</q5:Name> 

- <q5:Member> 

<Name 

xmlns = H http://www.microsoftxom/GroupPolicy/Types M >GPMCDEMO\SUPP 

</q5:Member> 

- <q5:Member> 

<Name 

xmlns= u http://www.microsoft.com/GroupPolicy/Types M >LOCAL 
SERVICE</Name> 

</q5:Member> 
</q5:UserRightsAssignment> 

- <q5:UserRightsAssignment> 

- <GPO 

xmlns="http:// www. microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns= M http://www.microsoft.com/GroupPolicy/Types H > 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= n http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base'> 1</Preceder 
<q5:Name>SeDenyInteractiveLogonRight</q5:Name> 

- <q5;Member> 

<Name 

xm Ins ="http://www. microsoft.com/GroupPolicy/Types n >GPMCDEMO\SUPP 

</q5:Member> 

</q5:UserRightsAssignment> 

- <q5:SecurityOptions> 

- <GPO 

xmlns= H http://www.microsoft.com/GroupPolicy/Settings/Base , > 

< Identifier 

xmlns= M http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types n >gpmcdemo-com</ 

</GPO> 

< Precedence 

xmlns='http://www.micros ft.com/GroupPolicy/Settings/Base">K/Preceder 
<q5:KeyName>MACHINE\System\CurrentControlSet\Services\LanManServer 
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<q5:SettingNumber>l</q5:SettingNumber> 

- <q5:Display> 

<q5:Name>Microsoft network server: Digitally sign 

communications (if client agrees) </q5:Name> 
<q5 : DisplayBoolean> true </q5 : DisplayBoo!ean> 
</q5:Display> 
</q5:SecurityOptions> 

- <q5:SecurityOptions> 

- <GPO 

xmlns= u http://www. microsoft.com/GroupPolicy/ Settings/Base M > 

< Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns= H http://www.microsoft.com/GroupPolicy/Settings/Base , >l</Preceder 

<q5:KeyName>MACHINE\System\CurrentControlSet\Control\Lsa\LmCompati 

<q5:SettingNumber>2</q5:SettingNumber> 

- <q5:Display> 

<q5:Name>Network security: LAN Manager authentication 

level </q5:Name> 
<q5:DisplayString>Send NTLM response only</q5:DisplayString> 
</q5:Display> 
</q5 : SecurityOptions > 

- <q5:SecurityOptions> 

- <GPO 

xmlns= M http:// www.microsoft.com/GroupPolicy/Settings/Base"> 

< Identifier 

xmlns="http:// www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns = "http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

<Precedence 

xmlns="http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 

<q5:KeyName>MACHINE\System\CurrentControlSet\Services\NTDS\Parame 

<q5:SettingNumber>l</q5:SettingNumber> 

- <q5:Display> 

<q5:Name>Domain controller: LDAP server signing 
requirements</q5:Name> 

<q5:DisplayString>None</q5:DisplayString> 
</q5:Display> 
</q5:SecurityOptions> 

- <q5:SecurityOptions> 

- <GPO 

xmlns="http://www. microsoft.com/Gr upP licy/Settings/Base"> 

<Identifier 

xmlns = "http:// www.microsoft.com/GroupP licy/Types"> 
{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 
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<Domain 

xmlns= M http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.c m<y 

</GPO> 

< Precedence 
xmlns="http://www.microsoft.com/GroupPo 

<q5:KeyName>MACHINE\System\CurrentControlSet\Services\Netl gon\Para 

<q5:SettingIMumber>l</q5:SettingNumber> 

- <q5:Display> 

<q5:Name>Domain member: Digitally encrypt or sign secure 

channel data (always)</q5:Name> 
<q5:DisplayBoolean>true</q5:DisplayBoolean> 
</q5:Display> 
</q5 : Secu rityOptions > 

- <q5:SecurityOptions> 

- <GPO 

xmlns= n http://www.microsoft.com/GroupPolicy/Settings/Base H > 

< Identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{6AC1786C-016F-llD2-945F-00C04fB984F9}</Identifier> 

<Domain 

xmlns = M http://www.microsoft,com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns^"http://www. microsoft.com/GroupPolicy/Settings/Base"> 1</Preceder 

<q5:KeyName>MACHINE\System\CurrentControlSet\Services\LanManServer 

<q5:SettingNumber>K/q5:SettingNumber> 

- <q5:Display> 

<q5:Name>Microsoft network server: Digitally sign 

communications (always) </q5 : Name> 
<q5:DisplayBoolean>true</q5:DisplayBoolean> 
</q5:Display> 
</q5 : SecurityOptions > 

- <q5:SecurityOptions> 

- <GPO 

xmlns="http:// www.microsoft.com/GroupPolicy/Settings/Base"> 

identifier 

xmlns="http://www. microsoft.com/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns="http://www.microsoft.com/GroupPolicy/Types">gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 

<q5:SystemAccessPolicyName>ForceLogoffWhenHourExpire</q5:SystemAccessPc 

<q5:SettingNumber>0</q5:Settingl\Iumber> 
</q5: SecurityOptions > 
</Extension> 
<Name 

xmlns="http:// www.microsoft.com/Gr upP licy/Settings">Security</Name> 

</ExtensionData> 
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- <ExtensionData> 

- <Extension 

xmlns:q6="http://www.micr s ft.c m/Gr upPolicy/ Settings/ Registry" 
xsi:type="q6:RegistrySettings" 

xmlns="http://www.micros ft.com/GroupPolicy/Settings"> 

- <q6:RegistrySetting> 

- <GPO 

xmlns= 'http://www.microsoft.com/GroupPolicy/Settings/ Base > 

<Identifier 

xmlns== M http://www.microsoft.com/GroupPolicy/Types M >LocalGPO</Identif 

</GPO> 

< Precedence 

xmlns= , http://www.microsoft.com/GroupPolicy/Settings/Base ,, >l</Preceder 

<q6:KeyPath>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Expl 

<q6:AdmSetting>false</q6:AdmSetting> 
</q6 : Registry Setting > 

- <q6: Registry Setting > 

- <GPO 

xmlns= M http:// www. microsoft.com/GroupPolicy/Settings/Base"> 

<Identifier 

xmlns = "http://www.microsoft.com/GroupPolicy/Types">LocalGPO</Identif 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/GroupPolicy/Settings/Base">l</Preceder 

<q6:KeyPath>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explo 

<q6:AdmSetting>false</q6:AdmSetting> 

- <q6:Value> 

<q6:Name>NoActiveDesktop</q6:Name> 
<q6:Number>l</q6;Number> 
</q6:Value> 
</q6 : Reg istrySetting > 
</Extension> 
<Name 

xmlns="http://www.microsoft.com/GroupPolicy/Settings">Registry</Name> 

</ExtensionData> 

- <ExtensionData> 

- < Extension 

xmlns:q7 = "http:// www. microsoft.com/GroupPolicy/Settings/PublicKey" 
xsi:type="q7:PublicKeySettings" 

xmlns="http://www. microsoft.com/GroupPolicy/Settings"> 

- <q7:AutoEnrollmentSettings> 

<q7:EnrollCertificatesAutomatically>true</q7:EnrollCertificatesAutomatically> 

- <q7:Options> 

<q7:RenewUpdateRevoke>false</q7:RenewUpdateRevoke> 
<q7:UpdateTemplates>false</q7:UpdateTemplates> 
</q7:Options> 

</q7:AutoEnrollmentSettings> 

- <q7:EFSSettings> 

<q7:AllowEFS>true</q7:AllowEFS> 
</q7:EFSSettings> 



Page 75 of 75 



- <q7:EFSRecoveryAgent> 

- <GPO 

xmlns="http://www.micros ft.c m/Gr upPolicy/Settings/Base"> 

<Identifier 

xmlns='http://www.micr s ft.c m/GroupPolicy/Types"> 

{31B2F340-016D-11D2-945F-00C04FB984F9}</Identifier> 

<Domain 

xmlns="http://www.micr s ft.com/GroupPolicy/Types M >gpmcdemo.com</ 

</GPO> 

< Precedence 

xmlns="http://www.microsoft.com/G™^ 
<q7:IssuedTo>Administrator</q7:IssuedTo> 
<q7:IssuedBy>Administrator</q7:IssuedBy> 
<q7:ExpirationDate>2006-04-08T16:41:54. 0000000- 

07:00</q7:ExpirationDate> 

- <q7:CertificatePurpose> 

<q7:Purpose> 1.3. 6.1.4.1. 311. 10.3.4. K/q7:Purpose> 
</q7:CertificatePurpose> 

<q7:Data>030000000100000014000000FE9FBCFBF695B31D21133BF36B53C 

</q7 : EFSRecoveryAgent> 

- <q7:RootCertificateSettings> 

<q7:AllowNewCAs>true</q7:AllowNewCAs> 
<q7:TrustThirdPartyCAs>true</q7:TrustThirdPartyCAs> 

<q7:RequireUPNNamingConstraints>false</q7:RequireUPNNamingConstraints> 
</q7:RootCertificateSettings> 

</Extension> 

<Name 

xmlns= M http://www.microsoft.com/GroupPolicy/Settings M >Public 

Key</Name> 

</ExtensionData> 
</ComputerResults> 
</Rsop> 



